[Kernel Bug] possible deadlock in set_capacity_and_notify

[李龙兴]

Dear Linux kernel developers and maintainers,

We would like to report a new kernel bug found by our tool. possible
deadlock in set_capacity_and_notify. Details are as follows.

Kernel commit: v6.12.11
Kernel config: see attachment
report: see attachment

We are currently analyzing the root cause and  working on a
reproducible PoC. We will provide further updates in this thread as
soon as we have more information.

Best regards,
Longxing Li

======================================================
WARNING: possible circular locking dependency detected
6.12.11 #1 Not tainted
------------------------------------------------------
kworker/u15:5/211011 is trying to acquire lock:
ffffffff8e14aee0 (fs_reclaim){+.+.}-{0:0}, at: might_alloc
include/linux/sched/mm.h:318 [inline]
ffffffff8e14aee0 (fs_reclaim){+.+.}-{0:0}, at: slab_pre_alloc_hook
mm/slub.c:4058 [inline]
ffffffff8e14aee0 (fs_reclaim){+.+.}-{0:0}, at: slab_alloc_node
mm/slub.c:4136 [inline]
ffffffff8e14aee0 (fs_reclaim){+.+.}-{0:0}, at:
kmem_cache_alloc_node_noprof+0x57/0x310 mm/slub.c:4208

but task is already holding lock:
ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
uevent_net_broadcast_untagged lib/kobject_uevent.c:317 [inline]
ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
kobject_uevent_env+0xb21/0x1860 lib/kobject_uevent.c:608

which lock already depends on the new lock.

...

other info that might help us debug this:

Chain exists of:
  fs_reclaim --> &q->q_usage_counter(io)#69 --> uevent_sock_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(uevent_sock_mutex);
                               lock(&q->q_usage_counter(io)#69);
                               lock(uevent_sock_mutex);
  lock(fs_reclaim);

 *** DEADLOCK ***

4 locks held by kworker/u15:5/211011:
 #0: ffff888091b33948 ((wq_completion)hci0#2){+.+.}-{0:0}, at:
process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90006587d80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0},
at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffff88809649c078 (&hdev->lock){+.+.}-{4:4}, at:
hci_conn_complete_evt+0xbd/0x1580 net/bluetooth/hci_event.c:3076
 #3: ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
uevent_net_broadcast_untagged lib/kobject_uevent.c:317 [inline]
 #3: ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
 #3: ffffffff90213728 (uevent_sock_mutex){+.+.}-{4:4}, at:
kobject_uevent_env+0xb21/0x1860 lib/kobject_uevent.c:608

stack backtrace:
CPU: 1 UID: 0 PID: 211011 Comm: kworker/u15:5 Not tainted 6.12.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x419/0x5d0 kernel/locking/lockdep.c:2074
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain kernel/locking/lockdep.c:3904 [inline]
 __lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5202
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
 __fs_reclaim_acquire mm/page_alloc.c:3853 [inline]
 fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:3867
 might_alloc include/linux/sched/mm.h:318 [inline]
 slab_pre_alloc_hook mm/slub.c:4058 [inline]
 slab_alloc_node mm/slub.c:4136 [inline]
 kmem_cache_alloc_node_noprof+0x57/0x310 mm/slub.c:4208
 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:668
 alloc_skb include/linux/skbuff.h:1322 [inline]
 alloc_uevent_skb+0x7d/0x210 lib/kobject_uevent.c:289
 uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
 kobject_uevent_env+0xc8f/0x1860 lib/kobject_uevent.c:608
 device_add+0x10e0/0x1a70 drivers/base/core.c:3646
 hci_conn_add_sysfs+0x17e/0x230 net/bluetooth/hci_sysfs.c:48
 hci_conn_complete_evt+0x505/0x1580 net/bluetooth/hci_event.c:3147
 hci_event_func net/bluetooth/hci_event.c:7474 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7526
 hci_rx_work+0x2c6/0x1650 net/bluetooth/hci_core.c:4030
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

https://drive.google.com/file/d/17HbDTI_iPjA72SkV5MnO-_w7IQZ9HIHW/view?usp=drive_link

https://drive.google.com/file/d/1LCQXLXGZSnRKePz0E_1nztMXbnpKtxAO/view?usp=drive_link