On 11/27/25 9:41 AM, Junjie Cao wrote:
syzbot reported a circular locking dependency involving nr_neigh_list_lock, nr_node_list_lock and nr_node->node_lock in the NET/ROM routing code [1].
One of the problematic scenarios looks like this:
CPU0 CPU1
nr_rt_device_down() nr_rt_ioctl() lock(nr_neigh_list_lock); nr_del_node() ... lock(nr_node_list_lock); lock(nr_node_list_lock); nr_remove_neigh(); lock(nr_neigh_list_lock);
This creates the following lock chain:
nr_neigh_list_lock -> nr_node_list_lock -> &nr_node->node_lock
while the ioctl path may acquire the locks in the opposite order via nr_dec_obs()/nr_del_node(), which makes lockdep complain about a possible deadlock.
Refactor nr_rt_device_down() to avoid nested locking of nr_neigh_list_lock and nr_node_list_lock. The function now performs two separate passes: one that walks all nodes under nr_node_list_lock and drops routes / reference counts, and a second one that removes unused neighbours under nr_neigh_list_lock.
This also fixes a reference count leak of nr_neigh in the node route removal path.
Please don't mix separate fixes; the latter need to go in a different patch to help reviewers. Also both of them need a suitable Fixes tag.
Thanks,
Paolo