Syzkaller reports the following issue: BUG: sleeping function called from invalid context in team_change_rx_flags 3 locks held by syz.1.1814/12326: #0: ffffffff8fa21eb8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8fa21eb8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #0: ffffffff8fa21eb8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570 #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline] #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054 #2: ffff8880635e8368 (&macsec_netdev_addr_lock_key#2/2){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline] #2: ffff8880635e8368 (&macsec_netdev_addr_lock_key#2/2){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689 Preemption disabled at: [] local_bh_disable include/linux/bottom_half.h:20 [inline] ^^^^ [] netif_addr_lock_bh include/linux/netdevice.h:4804 [inline] [] dev_uc_add+0x56/0x120 net/core/dev_addr_lists.c:689 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline] check_wait_context kernel/locking/lockdep.c:4905 [inline] __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871 __mutex_lock_common kernel/locking/mutex.c:602 [inline] __mutex_lock+0x182/0xe80 kernel/locking/mutex.c:747 team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781 dev_change_rx_flags net/core/dev.c:9241 [inline] __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9305 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:287 dev_change_rx_flags net/core/dev.c:9241 [inline] __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285 __dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1 dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693 macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634 __dev_open+0x470/0x880 net/core/dev.c:1683 __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458 rtnl_configure_link net/core/rtnetlink.c:3577 [inline] rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833 mutex_lock/mutex_unlock are called from team_change_rx_flags with BH disabled (caused by netif_addr_lock_bh). Switch to spinlock instead to avoid sleeping with BH disabled. Reported-by: syzbot+8182574047912f805d59@syzkaller.appspotmail.com Signed-off-by: Ujwal Kundur --- drivers/net/team/team_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c index 8bc56186b2a3..4568075fea6e 100644 --- a/drivers/net/team/team_core.c +++ b/drivers/net/team/team_core.c @@ -1778,7 +1778,7 @@ static void team_change_rx_flags(struct net_device *dev, int change) struct team_port *port; int inc; - mutex_lock(&team->lock); + spin_lock(&team->lock); list_for_each_entry(port, &team->port_list, list) { if (change & IFF_PROMISC) { inc = dev->flags & IFF_PROMISC ? 1 : -1; @@ -1789,7 +1789,7 @@ static void team_change_rx_flags(struct net_device *dev, int change) dev_set_allmulti(port->dev, inc); } } - mutex_unlock(&team->lock); + spin_unlock(&team->lock); } static void team_set_rx_mode(struct net_device *dev) -- 2.30.2