From nobody Mon May 25 02:42:37 2026
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AF9B2882B4
	for <linux-kernel@vger.kernel.org>; Tue, 19 May 2026 17:26:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779211602; cv=none;
 b=JsluMr5o+HQoKoNJbUNWZttsIJjHsZOTOMiw74alO+7qKqTS7Wn59a0xv70hKqFFD/3MEdnivNLouJCrFFxgzSvrJF7vF3NsRnDp6pmCrufe7Lx5nVUfUWRiUmnRtkS5IhbIPVLFXH1k23uDDiA3tk808kzjYhmXK/QCuDNQBpE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779211602; c=relaxed/simple;
	bh=egYyu/i+xaZaoDb0v9SpMFsflxy9+neCAhZXc7GqhbE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=g+0P6xv50bUmcQjUJJeDZudwJbpT3J0qN4Y431EKjLD6I2HDvhApCbt/IXYUfcB0kaU7u7hD7R3tm7v57t4jaY3YgFFW9qmDxsoGrxy/IE0+n19hV1Acsrlv5XbXGbTWgdebTN+ZWiWspCNMBIOIzAK7Mu3fMYNrlN7bzz6n+3U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=OL0a7HcA; arc=none smtp.client-ip=209.85.128.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="OL0a7HcA"
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-488a8f97f6bso6848515e9.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 May 2026 10:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779211599; x=1779816399;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=1jbRD0zuDAkT/iOMZCuQC1mbw0VTyeq/zm8Dbw1smrw=;
        b=OL0a7HcAqs1a/9RxYMErmtMmMwyloN3x4w5/kAYtSlD8uHq6WZF+y1rcgnGb1Ts1Pq
         mE6ftoLWjoCn+GJSJrzqFK+W1XdLmq6dcFOQmJCkXZKkZhfPGwKKZ/RaCfZ1sgw6NgCe
         3hhAGwIxJycZP9LHjdGrkkUWCF3xlp8BfHZsJzxysdWC1tud+/zXC4ZZoFip8mO6bDlv
         SP6cXoZ1HhUF3f7T6tbm+qYyQx5MtXgY80dENYTfH9wzFqg5SUUOOO1KobR8l8oZscy1
         aCjm9mGcp9NSJhQfkJE7wPgwQ2P8Z2CZeCkrrAmyKCLoOLulJfG0WNfANRRRhk2Uqk7+
         Letw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779211599; x=1779816399;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1jbRD0zuDAkT/iOMZCuQC1mbw0VTyeq/zm8Dbw1smrw=;
        b=oWYeS6w8+yt5QaDRa/bSa0h5aA6ahNUsRyRJuNxIeRzapZDRI4n75LnlEYW6xGbzju
         5tLUvB37LEUssYRkz+A/ti/cbG4gULjc/ZQwPolZ2m9/RipicTXW3t3A3UXXEgSlzMcH
         UCN0Gzaa/YkTGoy3SPAc4nPFqnDUyA2untEyVxuO+W67+zsCAKcI7/UN6RIYrNAdAtRR
         2L0AJ2uW5M1Fak2lDFSfkz1VM15587UEkRJ4IAwdcYAk81QnKDqSJPAR+d9NoDisQqMB
         BP+464Qhw0f4+bXrAk13nyr++HJlxSJM3eqPuYRCUreExKY8buvRyXIh2oFRV3GRlCAV
         7/Iw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+zlEE8YSxe/LHoWCdeYFhV1PYXTtPRfA8esIbUP5LnvAmwcXw7Xd3+Fd9/pNP6DzQYueHldYItblphV7I=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy31NUNOis3kEgkDwODmGDx+n1XpTYkb2HXDP7d4aOuNC7utAsn
	RaAx51vwKTejYlyBg6Sm/WD3E214vaqSBz8eLwFGuOy48HxdDTiKgwdC
X-Gm-Gg: Acq92OFqBm6Z8RxnSH4PeHh4tbB20zHyBA5lz28RUuO5bLttAEFVP74mgGPY0o0Yp0R
	5AvKWOrsRuIPCIlC1ONJOt/MEAKj/DcYEAhrRSxiRfk72qP+M0Fq6SsOrm3SrKCEsU51ZOF0Imt
	4T+tmYf1k5doQHySJmX6syeKoQ/+XnMAHh//yfkr8nimoN4L9E3epJzi/DN33W5KTiMZfbQJwZ+
	oZqEy4e6a1nn/9EBIG6eOvB3ec+qtBIrsRDq5Ox48+hc23mN3i7pRDA6cArQNKpRBQuZDTTTEbc
	Hi3xzOYoOFdJbwKnScigckO+R/f7haRk8DxrXy4wQhpOd+rsKCIshgmnC3zsyI06Eb7dJBfGaXb
	7hi/JBTgZBWQwDLZmIxPAsWvZm5Bor5heiHUHDL6UfziKpcYy+K1Qw1KBV6ImeX1/uGb4QFQPxw
	AAwbWpmeVjsn7W3Aau9J9eWlQSReAl/7sUQ2wQpDhrWBifM/PWAIimVsb3YHQphF3z1qUDKn9Q3
	inwEmI=
X-Received: by 2002:a05:600c:a48:b0:489:e696:127d with SMTP id
 5b1f17b1804b1-48fe63022e8mr142076495e9.5.1779211599195;
        Tue, 19 May 2026 10:26:39 -0700 (PDT)
Received: from ast-epyc5.inf.ethz.ch (ast-epyc4.inf.ethz.ch.
 [129.132.161.179])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48feae166dasm128269335e9.9.2026.05.19.10.26.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 May 2026 10:26:38 -0700 (PDT)
From: Zijing Yin <yzjaurora@gmail.com>
To: Remi Denis-Courmont <courmisch@gmail.com>
Cc: Zijing Yin <yzjaurora@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net] phonet/pep: disable BH around forwarded sk_receive_skb()
Date: Tue, 19 May 2026 10:26:33 -0700
Message-ID: <20260519172635.86304-1-yzjaurora@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The networking receive path is usually run from softirq context, but
protocols that take the socket lock may have packets stored in the
backlog and processed later from process context. In that case
release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
and then calls sk->sk_backlog_rcv() with bottom halves enabled.

Typical sk_backlog_rcv handlers process the socket whose backlog is
being drained, so the BH state at entry is irrelevant for the slocks
they touch. pep_do_rcv() is different: when the inbound skb targets an
existing PEP pipe, it forwards the skb to a different *child* socket
via sk_receive_skb(). That helper takes the child slock with
bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
is already off. The same child slock therefore ends up acquired with
BH on (process path) and with BH off (softirq path):

  process context                   softirq context
  ---------------                   ---------------
  release_sock(listener)            __netif_receive_skb()
   __release_sock()                  phonet_rcv()
    spin_unlock_bh()                  __sk_receive_skb(listener)
    [BH now ENABLED]                  [BH already disabled]
    sk_backlog_rcv:                   sk_backlog_rcv:
     pep_do_rcv()                      pep_do_rcv()
      sk_receive_skb(child)             sk_receive_skb(child)
       bh_lock_sock_nested(child)        bh_lock_sock_nested(child)
       =3D> SOFTIRQ-ON-W                   =3D> IN-SOFTIRQ-W

Lockdep flags this as inconsistent lock state, and it can become a real
self-deadlock if a softirq on the same CPU tries to receive to the same
child socket while its slock is held in the BH-enabled path:

  WARNING: inconsistent lock state
  inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
   (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
    __sk_receive_skb              net/core/sock.c:563
    sk_receive_skb                include/net/sock.h:2022 [inline]
    pep_do_rcv                    net/phonet/pep.c:675
    sk_backlog_rcv                include/net/sock.h:1190
    __release_sock                net/core/sock.c:3216
    release_sock                  net/core/sock.c:3815
    pep_sock_accept               net/phonet/pep.c:879

Wrap the forwarded sk_receive_skb() in local_bh_disable() /
local_bh_enable() so the child slock is always acquired with BH off.
local_bh_disable() nests safely on the softirq path.

Discovered via in-house syzkaller fuzzing; the same root cause also
on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
https://pastebin.com/A3t8xzCR

Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
Link: https://syzkaller.appspot.com/bug?extid=3D44f0626dd6284f02663c
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Acked-by: R=C3=A9mi Denis-Courmont <remi@remlab.net>
Reported-by: syzbot+9f4a135646b66c509935@syzkaller.appspotmail.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
---
 net/phonet/pep.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 4dbf0914df7d..cc6226cc4343 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -671,8 +671,23 @@ static int pep_do_rcv(struct sock *sk, struct sk_buff =
*skb)
=20
 	/* Look for an existing pipe handle */
 	sknode =3D pep_find_pipe(&pn->hlist, &dst, pipe_handle);
-	if (sknode)
-		return sk_receive_skb(sknode, skb, 1);
+	if (sknode) {
+		int rc;
+
+		/*
+		 * pep_do_rcv() runs from two contexts: from softirq via
+		 * phonet_rcv() -> __sk_receive_skb() with BH disabled, and from
+		 * process context via release_sock() -> __release_sock(), which
+		 * drops the listener slock with spin_unlock_bh() before draining
+		 * the backlog.  The child pipe slock is taken below via
+		 * bh_lock_sock_nested(), which does not itself disable BH, so
+		 * disable BH here to keep both acquire contexts consistent.
+		 */
+		local_bh_disable();
+		rc =3D sk_receive_skb(sknode, skb, 1);
+		local_bh_enable();
+		return rc;
+	}
=20
 	switch (hdr->message_id) {
 	case PNS_PEP_CONNECT_REQ:

base-commit: edc502717be153674b0b3eefb8b40734c747c138
--=20
2.43.0