From: Stanislav Fomichev <stfomichev@gmail.com>
To: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
netdev@vger.kernel.org,
syzbot+45016fe295243a7882d3@syzkaller.appspotmail.com
Subject: Re: [PATCH v1 net] rtnetlink: Fix bad unlock balance in do_setlink().
Date: Mon, 7 Apr 2025 09:57:20 -0700 [thread overview]
Message-ID: <Z_QD8CX_M1ISSC0b@mini-arch> (raw)
In-Reply-To: <20250407164229.24414-1-kuniyu@amazon.com>
On 04/07, Kuniyuki Iwashima wrote:
> When validate_linkmsg() fails in do_setlink(), we jump to the errout
> label and calls netdev_unlock_ops() even though we have not called
> netdev_lock_ops() as reported by syzbot. [0]
>
> Let's return an error directly in such a case.
>
> [0]
> WARNING: bad unlock balance detected!
> 6.14.0-syzkaller-12504-g8bc251e5d874 #0 Not tainted
>
> syz-executor814/5834 is trying to release lock (&dev_instance_lock_key) at:
> [<ffffffff89f41f56>] netdev_unlock include/linux/netdevice.h:2756 [inline]
> [<ffffffff89f41f56>] netdev_unlock_ops include/net/netdev_lock.h:48 [inline]
> [<ffffffff89f41f56>] do_setlink+0xc26/0x43a0 net/core/rtnetlink.c:3406
> but there are no more locks to release!
>
> other info that might help us debug this:
> 1 lock held by syz-executor814/5834:
> #0: ffffffff900fc408 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
> #0: ffffffff900fc408 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
> #0: ffffffff900fc408 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xd68/0x1fe0 net/core/rtnetlink.c:4064
>
> stack backtrace:
> CPU: 0 UID: 0 PID: 5834 Comm: syz-executor814 Not tainted 6.14.0-syzkaller-12504-g8bc251e5d874 #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_unlock_imbalance_bug+0x185/0x1a0 kernel/locking/lockdep.c:5296
> __lock_release kernel/locking/lockdep.c:5535 [inline]
> lock_release+0x1ed/0x3e0 kernel/locking/lockdep.c:5887
> __mutex_unlock_slowpath+0xee/0x800 kernel/locking/mutex.c:907
> netdev_unlock include/linux/netdevice.h:2756 [inline]
> netdev_unlock_ops include/net/netdev_lock.h:48 [inline]
> do_setlink+0xc26/0x43a0 net/core/rtnetlink.c:3406
> rtnl_group_changelink net/core/rtnetlink.c:3783 [inline]
> __rtnl_newlink net/core/rtnetlink.c:3937 [inline]
> rtnl_newlink+0x1619/0x1fe0 net/core/rtnetlink.c:4065
> rtnetlink_rcv_msg+0x80f/0xd70 net/core/rtnetlink.c:6955
> netlink_rcv_skb+0x208/0x480 net/netlink/af_netlink.c:2534
> netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
> netlink_unicast+0x7f8/0x9a0 net/netlink/af_netlink.c:1339
> netlink_sendmsg+0x8c3/0xcd0 net/netlink/af_netlink.c:1883
> sock_sendmsg_nosec net/socket.c:712 [inline]
> __sock_sendmsg+0x221/0x270 net/socket.c:727
> ____sys_sendmsg+0x523/0x860 net/socket.c:2566
> ___sys_sendmsg net/socket.c:2620 [inline]
> __sys_sendmsg+0x271/0x360 net/socket.c:2652
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8427b614a9
> Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fff9b59f3a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007fff9b59f578 RCX: 00007f8427b614a9
> RDX: 0000000000000000 RSI: 0000200000000300 RDI: 0000000000000004
> RBP: 00007f8427bd4610 R08: 000000000000000c R09: 00007fff9b59f578
> R10: 000000000000001b R11: 0000000000000246 R12: 0000000000000001
> R13:
>
> Fixes: 4c975fd70002 ("net: hold instance lock during NETDEV_REGISTER/UP")
> Reported-by: syzbot+45016fe295243a7882d3@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=45016fe295243a7882d3
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
next prev parent reply other threads:[~2025-04-07 16:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-07 16:42 [PATCH v1 net] rtnetlink: Fix bad unlock balance in do_setlink() Kuniyuki Iwashima
2025-04-07 16:57 ` Stanislav Fomichev [this message]
2025-04-08 19:51 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_QD8CX_M1ISSC0b@mini-arch \
--to=stfomichev@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=syzbot+45016fe295243a7882d3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.