From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Lizhi Xu <lizhi.xu@windriver.com>
Cc: <syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com>,
<alex.aring@gmail.com>, <davem@davemloft.net>,
<edumazet@google.com>, <horms@kernel.org>, <kuba@kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>,
<linux-wpan@vger.kernel.org>, <netdev@vger.kernel.org>,
<pabeni@redhat.com>, <stefan@datenfreihafen.org>,
<syzkaller-bugs@googlegroups.com>,
Dmitry Antipov <dmantipov@yandex.ru>
Subject: Re: [PATCH] mac802154: add a check for slave data list before delete
Date: Mon, 11 Nov 2024 20:46:57 +0100 [thread overview]
Message-ID: <87msi5pn7y.fsf@bootlin.com> (raw)
In-Reply-To: <20241108145420.2445641-1-lizhi.xu@windriver.com> (Lizhi Xu's message of "Fri, 8 Nov 2024 22:54:20 +0800")
Hello,
On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
> syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>
> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> hardware device from the system.
>
> CPU0 CPU1
> ==== ====
> genl_family_rcv_msg_doit ieee802154_unregister_hw
> ieee802154_del_iface ieee802154_remove_interfaces
> rdev_del_virtual_intf_deprecated list_del(&sdata->list)
> ieee802154_if_remove
> list_del_rcu
FYI this is a "duplicate" but with a different approach than:
https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
Thanks,
Miquèl
>
> Avoid this issue, by adding slave data state bit SDATA_STATE_LISTDONE, set
> SDATA_STATE_LISTDONE when unregistering the hardware from the system, and
> add state bit SDATA_STATE_LISTDONE judgment before removing the interface
> to delete the list.
>
> [1]
> kernel BUG at lib/list_debug.c:58!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
> Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
> RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
> RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
> R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
> R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
> FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> __list_del_entry_valid include/linux/list.h:124 [inline]
> __list_del_entry include/linux/list.h:215 [inline]
> list_del_rcu include/linux/rculist.h:157 [inline]
> ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
> rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
> ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
> genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
> genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
> sock_sendmsg_nosec net/socket.c:729 [inline]
> __sock_sendmsg+0x221/0x270 net/socket.c:744
> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
> ___sys_sendmsg net/socket.c:2661 [inline]
> __sys_sendmsg+0x292/0x380 net/socket.c:2690
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
> net/mac802154/ieee802154_i.h | 1 +
> net/mac802154/iface.c | 4 ++++
> 2 files changed, 5 insertions(+)
>
> diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
> index 08dd521a51a5..6771c0569516 100644
> --- a/net/mac802154/ieee802154_i.h
> +++ b/net/mac802154/ieee802154_i.h
> @@ -101,6 +101,7 @@ enum {
>
> enum ieee802154_sdata_state_bits {
> SDATA_STATE_RUNNING,
> + SDATA_STATE_LISTDONE,
> };
>
> /* Slave interface definition.
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index c0e2da5072be..aed2fc63395d 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
> {
> ASSERT_RTNL();
>
> + if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
> + return;
> +
> mutex_lock(&sdata->local->iflist_mtx);
> list_del_rcu(&sdata->list);
> mutex_unlock(&sdata->local->iflist_mtx);
> @@ -698,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
> mutex_lock(&local->iflist_mtx);
> list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
> list_del(&sdata->list);
> + set_bit(SDATA_STATE_LISTDONE, &sdata->state);
>
> unregister_netdevice(sdata->dev);
> }
next prev parent reply other threads:[~2024-11-11 19:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 16:53 [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-08 7:17 ` [syzbot] " syzbot
2024-11-08 7:18 ` syzbot
2024-11-08 9:31 ` syzbot
2024-11-08 11:24 ` syzbot
2024-11-08 12:43 ` [syzbot] " syzbot
2024-11-08 14:54 ` [PATCH] mac802154: add a check for slave data list before delete Lizhi Xu
2024-11-11 19:46 ` Miquel Raynal [this message]
2024-11-12 0:21 ` Lizhi Xu
2024-11-12 4:31 ` [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-12 11:01 ` [PATCH] mac802154: add a check for slave data list before delete Miquel Raynal
2024-11-12 13:41 ` Lizhi Xu
2024-11-13 8:26 ` Miquel Raynal
2024-11-13 9:51 ` [PATCH V2] mac802154: check local interfaces before deleting sdata list Lizhi Xu
2024-11-19 10:06 ` Stefan Schmidt
2024-11-13 10:29 ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
2024-11-13 10:58 ` Miquel Raynal
2024-11-13 12:45 ` Dmitry Antipov
2024-11-14 1:00 ` Lizhi Xu
2024-11-14 1:17 ` Lizhi Xu
2024-11-08 16:29 ` [syzbot] Re: BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-09 2:51 ` [syzbot] Re: BUG: corrupted list in ieee802154_if_remove() syzbot
2024-11-12 6:46 ` syzbot
2024-11-12 12:35 ` [syzbot] Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-12 13:11 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87msi5pn7y.fsf@bootlin.com \
--to=miquel.raynal@bootlin.com \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=dmantipov@yandex.ru \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=lizhi.xu@windriver.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stefan@datenfreihafen.org \
--cc=syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.