Re: [Bug] "possible deadlock in rtnl_newlink" in Linux kernel v6.13

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jacob Keller <jacob.e.keller@intel.com>
To: John <john.cs.hey@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>,
	Joe Damato <jdamato@fastly.com>
Cc: Simon Horman <horms@kernel.org>, <netdev@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>
Subject: Re: [Bug] "possible deadlock in rtnl_newlink" in Linux kernel v6.13
Date: Thu, 22 May 2025 16:05:05 -0700	[thread overview]
Message-ID: <c9b62eaa-e05e-4958-bbf5-73b1e3c46b33@intel.com> (raw)
In-Reply-To: <CAP=Rh=OEsn4y_2LvkO3UtDWurKcGPnZ_NPSXK=FbgygNXL37Sw@mail.gmail.com>



On 5/21/2025 5:52 PM, John wrote:
> Dear Linux Kernel Maintainers,
> 
> I hope this message finds you well.
> 
> I am writing to report a potential vulnerability I encountered during
> testing of the Linux Kernel version v6.13.
> 
> Git Commit: ffd294d346d185b70e28b1a28abe367bbfe53c04 (tag: v6.13)
> 
> Bug Location: rtnl_newlink+0x86c/0x1dd0 net/core/rtnetlink.c:4011
> 
> Bug report: https://hastebin.com/share/ajavibofik.bash
> 
> Complete log: https://hastebin.com/share/derufumuxu.perl
> 
> Entire kernel config:  https://hastebin.com/share/lovayaqidu.ini
> 
> Root Cause Analysis:
> The deadlock warning is caused by a circular locking dependency
> between two subsystems:
> 
> Path A (CPU 0):
> Holds rtnl_mutex in rtnl_newlink() →
> Then calls e1000_close() →
> Triggers e1000_down_and_stop() →
> Calls __cancel_work_sync() →
> Tries to flush adapter->reset_task (→ needs work_completion lock)
> 
> Path B (CPU 1):
> Holds work_completion lock while running e1000_reset_task() →
> Then calls e1000_down() →
> Which tries to acquire rtnl_mutex
> These two execution paths result in a circular dependency:
> 

I guess this implies you can't cancel_work_sync while holding RTNL lock?
Hmm. Or maybe its because calling e1000_down from the e1000_reset_task
is a problem.

> CPU 0: rtnl_mutex → work_completion
> CPU 1: work_completion → rtnl_mutex
> 
> This violates lock ordering and can lead to a deadlock under contention.
> This bug represents a classic case of lock inversion between
> networking core (rtnl_mutex) and a device driver (e1000 workqueue
> reset`).
> It is a design-level concurrency flaw that can lead to deadlocks under
> stress or fuzzing workloads.
> 
> At present, I have not yet obtained a minimal reproducer for this
> issue. However, I am actively working on reproducing it, and I will
> promptly share any additional findings or a working reproducer as soon
> as it becomes available.
> 

This is likely a regression in e400c7444d84 ("e1000: Hold RTNL when
e1000_down can be called")

@Joe, thoughts?


> Thank you very much for your time and attention to this matter. I
> truly appreciate the efforts of the Linux kernel community.
> 
> Best regards,
> John
>

next prev parent reply	other threads:[~2025-05-22 23:05 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-22  0:52 [Bug] "possible deadlock in rtnl_newlink" in Linux kernel v6.13 John
2025-05-22 23:05 ` Jacob Keller [this message]
2025-05-29 23:50   ` Joe Damato
2025-05-30  0:16     ` Jakub Kicinski
2025-05-30  1:12       ` Joe Damato
2025-05-30 14:48         ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c9b62eaa-e05e-4958-bbf5-73b1e3c46b33@intel.com \
    --to=jacob.e.keller@intel.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jdamato@fastly.com \
    --cc=john.cs.hey@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.