[syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
@ 2024-11-06 16:53 syzbot
  2024-11-08 14:54 ` [PATCH] mac802154: add a check for slave data list before delete Lizhi Xu
  0 siblings, 1 reply; 15+ messages in thread
From: syzbot @ 2024-11-06 16:53 UTC (permalink / raw)
  To: alex.aring, davem, edumazet, horms, kuba, linux-kernel, linux-usb,
	linux-wpan, miquel.raynal, netdev, pabeni, stefan, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    557329bcecc2 Merge tag 'mmc-v6.12-rc3' of git://git.kernel..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14a9f740580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=921b01cbfd887a9b
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d76d5f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12a9f740580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2b44e0081eb5/disk-557329bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15b6a52c8e11/vmlinux-557329bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab40912bec45/bzImage-557329bc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_rcu include/linux/rculist.h:157 [inline]
 ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
 ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmsg+0x292/0x380 net/socket.c:2690
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd094c32309
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec50063a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd094c32309
RDX: 0000000004000000 RSI: 0000000020000b00 RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000161b7
R13: 00007ffec50063bc R14: 00007ffec50063d0 R15: 00007ffec50063c0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] mac802154: add a check for slave data list before delete
  2024-11-06 16:53 [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
@ 2024-11-08 14:54 ` Lizhi Xu
  2024-11-11 19:46   ` Miquel Raynal
  0 siblings, 1 reply; 15+ messages in thread
From: Lizhi Xu @ 2024-11-08 14:54 UTC (permalink / raw)
  To: syzbot+985f827280dc3a6e7e92
  Cc: alex.aring, davem, edumazet, horms, kuba, linux-kernel, linux-usb,
	linux-wpan, miquel.raynal, netdev, pabeni, stefan, syzkaller-bugs

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0					CPU1
====					====
genl_family_rcv_msg_doit		ieee802154_unregister_hw
ieee802154_del_iface			ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

Avoid this issue, by adding slave data state bit SDATA_STATE_LISTDONE, set
SDATA_STATE_LISTDONE when unregistering the hardware from the system, and
add state bit SDATA_STATE_LISTDONE judgment before removing the interface
to delete the list. 

[1]
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_rcu include/linux/rculist.h:157 [inline]
 ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
 ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmsg+0x292/0x380 net/socket.c:2690
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 net/mac802154/ieee802154_i.h | 1 +
 net/mac802154/iface.c        | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..6771c0569516 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -101,6 +101,7 @@ enum {
 
 enum ieee802154_sdata_state_bits {
 	SDATA_STATE_RUNNING,
+	SDATA_STATE_LISTDONE,
 };
 
 /* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..aed2fc63395d 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
 {
 	ASSERT_RTNL();
 
+	if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
+		return;
+
 	mutex_lock(&sdata->local->iflist_mtx);
 	list_del_rcu(&sdata->list);
 	mutex_unlock(&sdata->local->iflist_mtx);
@@ -698,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
 	mutex_lock(&local->iflist_mtx);
 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
 		list_del(&sdata->list);
+		set_bit(SDATA_STATE_LISTDONE, &sdata->state);
 
 		unregister_netdevice(sdata->dev);
 	}
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-08 14:54 ` [PATCH] mac802154: add a check for slave data list before delete Lizhi Xu
@ 2024-11-11 19:46   ` Miquel Raynal
  2024-11-12  0:21     ` Lizhi Xu
  0 siblings, 1 reply; 15+ messages in thread
From: Miquel Raynal @ 2024-11-11 19:46 UTC (permalink / raw)
  To: Lizhi Xu
  Cc: syzbot+985f827280dc3a6e7e92, alex.aring, davem, edumazet, horms,
	kuba, linux-kernel, linux-usb, linux-wpan, netdev, pabeni, stefan,
	syzkaller-bugs, Dmitry Antipov

Hello,

On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:

> syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>
> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> hardware device from the system.
>
> CPU0					CPU1
> ====					====
> genl_family_rcv_msg_doit		ieee802154_unregister_hw
> ieee802154_del_iface			ieee802154_remove_interfaces
> rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
> ieee802154_if_remove
> list_del_rcu

FYI this is a "duplicate" but with a different approach than:
https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077

Thanks,
Miquèl

>
> Avoid this issue, by adding slave data state bit SDATA_STATE_LISTDONE, set
> SDATA_STATE_LISTDONE when unregistering the hardware from the system, and
> add state bit SDATA_STATE_LISTDONE judgment before removing the interface
> to delete the list. 
>
> [1]
> kernel BUG at lib/list_debug.c:58!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
> Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
> RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
> RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
> R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
> R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
> FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  __list_del_entry_valid include/linux/list.h:124 [inline]
>  __list_del_entry include/linux/list.h:215 [inline]
>  list_del_rcu include/linux/rculist.h:157 [inline]
>  ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
>  rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
>  ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
>  genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
>  genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
>  genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
>  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
>  genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
>  netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
>  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
>  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
>  sock_sendmsg_nosec net/socket.c:729 [inline]
>  __sock_sendmsg+0x221/0x270 net/socket.c:744
>  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
>  ___sys_sendmsg net/socket.c:2661 [inline]
>  __sys_sendmsg+0x292/0x380 net/socket.c:2690
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
>  net/mac802154/ieee802154_i.h | 1 +
>  net/mac802154/iface.c        | 4 ++++
>  2 files changed, 5 insertions(+)
>
> diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
> index 08dd521a51a5..6771c0569516 100644
> --- a/net/mac802154/ieee802154_i.h
> +++ b/net/mac802154/ieee802154_i.h
> @@ -101,6 +101,7 @@ enum {
>  
>  enum ieee802154_sdata_state_bits {
>  	SDATA_STATE_RUNNING,
> +	SDATA_STATE_LISTDONE,
>  };
>  
>  /* Slave interface definition.
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index c0e2da5072be..aed2fc63395d 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
>  {
>  	ASSERT_RTNL();
>  
> +	if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
> +		return;
> +
>  	mutex_lock(&sdata->local->iflist_mtx);
>  	list_del_rcu(&sdata->list);
>  	mutex_unlock(&sdata->local->iflist_mtx);
> @@ -698,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
>  	mutex_lock(&local->iflist_mtx);
>  	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
>  		list_del(&sdata->list);
> +		set_bit(SDATA_STATE_LISTDONE, &sdata->state);
>  
>  		unregister_netdevice(sdata->dev);
>  	}

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-11 19:46   ` Miquel Raynal
@ 2024-11-12  0:21     ` Lizhi Xu
  2024-11-12  4:31       ` [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
  2024-11-12 11:01       ` [PATCH] mac802154: add a check for slave data list before delete Miquel Raynal
  0 siblings, 2 replies; 15+ messages in thread
From: Lizhi Xu @ 2024-11-12  0:21 UTC (permalink / raw)
  To: miquel.raynal
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, lizhi.xu, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
> 
> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
> >
> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> > hardware device from the system.
> >
> > CPU0					CPU1
> > ====					====
> > genl_family_rcv_msg_doit		ieee802154_unregister_hw
> > ieee802154_del_iface			ieee802154_remove_interfaces
> > rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
> > ieee802154_if_remove
> > list_del_rcu
> 
> FYI this is a "duplicate" but with a different approach than:
> https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
No, my patch was the first to fix it, someone else copied my patch. Here is my patch:

From: syzbot <syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [syzbot] Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
Date: Fri, 08 Nov 2024 03:24:46 -0800	[thread overview]
Message-ID: <672df4fe.050a0220.69fce.0011.GAE@google.com> (raw)
In-Reply-To: <672b9f03.050a0220.350062.0276.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
Author: lizhi.xu@windriver.com

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..6771c0569516 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -101,6 +101,7 @@ enum {
 
 enum ieee802154_sdata_state_bits {
 	SDATA_STATE_RUNNING,
+	SDATA_STATE_LISTDONE,
 };
 
 /* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..95f11d377fd3 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
 {
 	ASSERT_RTNL();
 
+	printk("sd: %p, sdl: %p, dev: %p, l: %p, if remove\n", sdata, sdata->list, sdata->dev, sdata->local);
+	if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
+		return;
+
 	mutex_lock(&sdata->local->iflist_mtx);
 	list_del_rcu(&sdata->list);
 	mutex_unlock(&sdata->local->iflist_mtx);
@@ -697,7 +701,9 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
 
 	mutex_lock(&local->iflist_mtx);
 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+		printk("sd: %p, sdl: %p, dev: %p, l: %p, rmv interfaces\n", sdata, sdata->list, sdata->dev, sdata->local);
 		list_del(&sdata->list);
+		set_bit(SDATA_STATE_LISTDONE, &sdata->state);
 
 		unregister_netdevice(sdata->dev);
 	}
diff --git a/net/mac802154/main.c b/net/mac802154/main.c
index 21b7c3b280b4..81289719584e 100644
--- a/net/mac802154/main.c
+++ b/net/mac802154/main.c
@@ -279,6 +279,7 @@ void ieee802154_unregister_hw(struct ieee802154_hw *hw)
 
 	rtnl_lock();
 
+	printk("l: %p unreg hw\n", local);
 	ieee802154_remove_interfaces(local);
 
 	rtnl_unlock();

> 
> Thanks,
> Miquèl
> 
> >
> > Avoid this issue, by adding slave data state bit SDATA_STATE_LISTDONE, set
> > SDATA_STATE_LISTDONE when unregistering the hardware from the system, and
> > add state bit SDATA_STATE_LISTDONE judgment before removing the interface
> > to delete the list.
> >
> > [1]
> > kernel BUG at lib/list_debug.c:58!
> > Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> > CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> > RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
> > Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
> > RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
> > RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
> > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> > RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
> > R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
> > R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
> > FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  <TASK>
> >  __list_del_entry_valid include/linux/list.h:124 [inline]
> >  __list_del_entry include/linux/list.h:215 [inline]
> >  list_del_rcu include/linux/rculist.h:157 [inline]
> >  ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
> >  rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
> >  ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
> >  genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
> >  genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
> >  genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
> >  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
> >  genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
> >  netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
> >  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
> >  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
> >  sock_sendmsg_nosec net/socket.c:729 [inline]
> >  __sock_sendmsg+0x221/0x270 net/socket.c:744
> >  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
> >  ___sys_sendmsg net/socket.c:2661 [inline]
> >  __sys_sendmsg+0x292/0x380 net/socket.c:2690
> >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
> > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> > ---
> >  net/mac802154/ieee802154_i.h | 1 +
> >  net/mac802154/iface.c        | 4 ++++
> >  2 files changed, 5 insertions(+)
> >
> > diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
> > index 08dd521a51a5..6771c0569516 100644
> > --- a/net/mac802154/ieee802154_i.h
> > +++ b/net/mac802154/ieee802154_i.h
> > @@ -101,6 +101,7 @@ enum {
> >
> >  enum ieee802154_sdata_state_bits {
> >  	SDATA_STATE_RUNNING,
> > +	SDATA_STATE_LISTDONE,
> >  };
> >
> >  /* Slave interface definition.
> > diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> > index c0e2da5072be..aed2fc63395d 100644
> > --- a/net/mac802154/iface.c
> > +++ b/net/mac802154/iface.c
> > @@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
> >  {
> >  	ASSERT_RTNL();
> >
> > +	if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
> > +		return;
> > +
> >  	mutex_lock(&sdata->local->iflist_mtx);
> >  	list_del_rcu(&sdata->list);
> >  	mutex_unlock(&sdata->local->iflist_mtx);
> > @@ -698,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
> >  	mutex_lock(&local->iflist_mtx);
> >  	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
> >  		list_del(&sdata->list);
> > +		set_bit(SDATA_STATE_LISTDONE, &sdata->state);
> >
> >  		unregister_netdevice(sdata->dev);
> >  	}

BR,
Lizhi

^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
  2024-11-12  0:21     ` Lizhi Xu
@ 2024-11-12  4:31       ` syzbot
  2024-11-12 11:01       ` [PATCH] mac802154: add a check for slave data list before delete Miquel Raynal
  1 sibling, 0 replies; 15+ messages in thread
From: syzbot @ 2024-11-12  4:31 UTC (permalink / raw)
  To: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, lizhi.xu, miquel.raynal, netdev, pabeni,
	stefan, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
Tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com

Tested on:

commit:         2d5404ca Linux 6.12-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1608335f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1503500c6f615d24
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=109ed35f980000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-12  0:21     ` Lizhi Xu
  2024-11-12  4:31       ` [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
@ 2024-11-12 11:01       ` Miquel Raynal
  2024-11-12 13:41         ` Lizhi Xu
  1 sibling, 1 reply; 15+ messages in thread
From: Miquel Raynal @ 2024-11-12 11:01 UTC (permalink / raw)
  To: Lizhi Xu
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On 12/11/2024 at 08:21:33 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:

> On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
>> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>> 
>> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>> >
>> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
>> > hardware device from the system.
>> >
>> > CPU0					CPU1
>> > ====					====
>> > genl_family_rcv_msg_doit		ieee802154_unregister_hw
>> > ieee802154_del_iface			ieee802154_remove_interfaces
>> > rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
>> > ieee802154_if_remove
>> > list_del_rcu
>> 
>> FYI this is a "duplicate" but with a different approach than:
>> https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
> No, my patch was the first to fix it, someone else copied my
> patch. Here is my patch:

Ok, so same question as to the other contributor, why not enclosing the
remaining list_del_rcu() within mutex protection? Can we avoid the
creation of the LISTDONE state bit?

Thanks,
Miquèl

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-12 11:01       ` [PATCH] mac802154: add a check for slave data list before delete Miquel Raynal
@ 2024-11-12 13:41         ` Lizhi Xu
  2024-11-13  8:26           ` Miquel Raynal
  2024-11-13 10:29           ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
  0 siblings, 2 replies; 15+ messages in thread
From: Lizhi Xu @ 2024-11-12 13:41 UTC (permalink / raw)
  To: miquel.raynal
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, lizhi.xu, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On Tue, 12 Nov 2024 12:01:21 +0100, Miquel Raynal wrote:
>On 12/11/2024 at 08:21:33 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>
>> On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
>>> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>>>
>>> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>>> >
>>> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
>>> > hardware device from the system.
>>> >
>>> > CPU0					CPU1
>>> > ====					====
>>> > genl_family_rcv_msg_doit		ieee802154_unregister_hw
>>> > ieee802154_del_iface			ieee802154_remove_interfaces
>>> > rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
>>> > ieee802154_if_remove
>>> > list_del_rcu
>>>
>>> FYI this is a "duplicate" but with a different approach than:
>>> https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
>> No, my patch was the first to fix it, someone else copied my
>> patch. Here is my patch:
>
>Ok, so same question as to the other contributor, why not enclosing the
>remaining list_del_rcu() within mutex protection? Can we avoid the
>creation of the LISTDONE state bit?
From the analysis of the list itself, we can not rely on the newly added state bit. 
The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

Following is my V2 patch, it has been tested and works well.

From: Lizhi Xu <lizhi.xu@windriver.com>
Date: Tue, 12 Nov 2024 20:59:34 +0800
Subject: [PATCH V2] mac802154: check local interfaces before deleting sdata list

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0					CPU1
====					====
genl_family_rcv_msg_doit		ieee802154_unregister_hw
ieee802154_del_iface			ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

To avoid this issue, add a check for local->interfaces before deleting
sdata list.

[1]
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_rcu include/linux/rculist.h:157 [inline]
 ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
 ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmsg+0x292/0x380 net/socket.c:2690
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
V1 -> V2: remove state bit and add a check for local interfaces before
          deleting sdata list

 net/mac802154/iface.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..9e4631fade90 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -684,6 +684,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
 	ASSERT_RTNL();
 
 	mutex_lock(&sdata->local->iflist_mtx);
+	if (list_empty(&sdata->local->interfaces)) {
+		mutex_unlock(&sdata->local->iflist_mtx);
+		return;
+	}
 	list_del_rcu(&sdata->list);
 	mutex_unlock(&sdata->local->iflist_mtx);
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-12 13:41         ` Lizhi Xu
@ 2024-11-13  8:26           ` Miquel Raynal
  2024-11-13  9:51             ` [PATCH V2] mac802154: check local interfaces before deleting sdata list Lizhi Xu
  2024-11-13 10:29           ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
  1 sibling, 1 reply; 15+ messages in thread
From: Miquel Raynal @ 2024-11-13  8:26 UTC (permalink / raw)
  To: Lizhi Xu
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On 12/11/2024 at 21:41:45 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:

> On Tue, 12 Nov 2024 12:01:21 +0100, Miquel Raynal wrote:
>>On 12/11/2024 at 08:21:33 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>>
>>> On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
>>>> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>>>>
>>>> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>>>> >
>>>> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
>>>> > hardware device from the system.
>>>> >
>>>> > CPU0					CPU1
>>>> > ====					====
>>>> > genl_family_rcv_msg_doit		ieee802154_unregister_hw
>>>> > ieee802154_del_iface			ieee802154_remove_interfaces
>>>> > rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
>>>> > ieee802154_if_remove
>>>> > list_del_rcu
>>>>
>>>> FYI this is a "duplicate" but with a different approach than:
>>>> https://lore.kernel.org/linux-wpan/87v7wtpngj.fsf@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
>>> No, my patch was the first to fix it, someone else copied my
>>> patch. Here is my patch:
>>
>>Ok, so same question as to the other contributor, why not enclosing the
>>remaining list_del_rcu() within mutex protection? Can we avoid the
>>creation of the LISTDONE state bit?
> From the analysis of the list itself, we can not rely on the newly added state bit. 
> The net device has been unregistered, since the rcu grace period,
> unregistration must be run before ieee802154_if_remove.
>
> Following is my V2 patch, it has been tested and works well.

Please send a proper v2, not an inline v2.

However the new approach looks better to me, so you can add my

Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

Thanks,
Miquèl

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH V2] mac802154: check local interfaces before deleting sdata list
  2024-11-13  8:26           ` Miquel Raynal
@ 2024-11-13  9:51             ` Lizhi Xu
  2024-11-19 10:06               ` Stefan Schmidt
  0 siblings, 1 reply; 15+ messages in thread
From: Lizhi Xu @ 2024-11-13  9:51 UTC (permalink / raw)
  To: miquel.raynal
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, lizhi.xu, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0					CPU1
====					====
genl_family_rcv_msg_doit		ieee802154_unregister_hw
ieee802154_del_iface			ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

To avoid this issue, add a check for local->interfaces before deleting
sdata list.

[1]
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_rcu include/linux/rculist.h:157 [inline]
 ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
 ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmsg+0x292/0x380 net/socket.c:2690
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
---
V1 -> V2: remove state bit and add a check for local interfaces before
          deleting sdata list

 net/mac802154/iface.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..9e4631fade90 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -684,6 +684,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
 	ASSERT_RTNL();
 
 	mutex_lock(&sdata->local->iflist_mtx);
+	if (list_empty(&sdata->local->interfaces)) {
+		mutex_unlock(&sdata->local->iflist_mtx);
+		return;
+	}
 	list_del_rcu(&sdata->list);
 	mutex_unlock(&sdata->local->iflist_mtx);
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCH V2] mac802154: check local interfaces before deleting sdata list
  2024-11-13  9:51             ` [PATCH V2] mac802154: check local interfaces before deleting sdata list Lizhi Xu
@ 2024-11-19 10:06               ` Stefan Schmidt
  0 siblings, 0 replies; 15+ messages in thread
From: Stefan Schmidt @ 2024-11-19 10:06 UTC (permalink / raw)
  To: miquel.raynal, Lizhi Xu
  Cc: Stefan Schmidt, alex.aring, davem, dmantipov, edumazet, horms,
	kuba, linux-kernel, linux-usb, linux-wpan, netdev, pabeni,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

Hello Lizhi Xu.

On Wed, 13 Nov 2024 17:51:29 +0800, Lizhi Xu wrote:
> syzkaller reported a corrupted list in ieee802154_if_remove. [1]
> 
> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> hardware device from the system.
> 
> CPU0					CPU1
> ====					====
> genl_family_rcv_msg_doit		ieee802154_unregister_hw
> ieee802154_del_iface			ieee802154_remove_interfaces
> rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
> ieee802154_if_remove
> list_del_rcu
> 
> [...]

Applied to wpan/wpan.git, thanks!

[1/1] mac802154: check local interfaces before deleting sdata list
      https://git.kernel.org/wpan/wpan/c/eb09fbeb4870

regards,
Stefan Schmidt

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-12 13:41         ` Lizhi Xu
  2024-11-13  8:26           ` Miquel Raynal
@ 2024-11-13 10:29           ` Dmitry Antipov
  2024-11-13 10:58             ` Miquel Raynal
  2024-11-14  1:00             ` Lizhi Xu
  1 sibling, 2 replies; 15+ messages in thread
From: Dmitry Antipov @ 2024-11-13 10:29 UTC (permalink / raw)
  To: Lizhi Xu, miquel.raynal
  Cc: alex.aring, davem, edumazet, horms, kuba, linux-kernel, linux-usb,
	linux-wpan, netdev, pabeni, stefan, syzbot+985f827280dc3a6e7e92,
	syzkaller-bugs

On 11/12/24 4:41 PM, Lizhi Xu wrote:

>   	mutex_lock(&sdata->local->iflist_mtx);
> +	if (list_empty(&sdata->local->interfaces)) {
> +		mutex_unlock(&sdata->local->iflist_mtx);
> +		return;
> +	}
>   	list_del_rcu(&sdata->list);
>   	mutex_unlock(&sdata->local->iflist_mtx);

Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
attempt to connect the only device. How this is expected to work if there are
more than one device?

Dmitry


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-13 10:29           ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
@ 2024-11-13 10:58             ` Miquel Raynal
  2024-11-13 12:45               ` Dmitry Antipov
  2024-11-14  1:00             ` Lizhi Xu
  1 sibling, 1 reply; 15+ messages in thread
From: Miquel Raynal @ 2024-11-13 10:58 UTC (permalink / raw)
  To: Dmitry Antipov
  Cc: Lizhi Xu, alex.aring, davem, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On 13/11/2024 at 13:29:55 +03, Dmitry Antipov <dmantipov@yandex.ru> wrote:

> On 11/12/24 4:41 PM, Lizhi Xu wrote:
>
>>   	mutex_lock(&sdata->local->iflist_mtx);
>> +	if (list_empty(&sdata->local->interfaces)) {
>> +		mutex_unlock(&sdata->local->iflist_mtx);
>> +		return;
>> +	}
>>   	list_del_rcu(&sdata->list);
>>   	mutex_unlock(&sdata->local->iflist_mtx);
>
> Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
> attempt to connect the only device. How this is expected to work if there are
> more than one device?

Isn't sdata already specific enough? What do you mean by "device"?

Thanks,
Miquèl

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-13 10:58             ` Miquel Raynal
@ 2024-11-13 12:45               ` Dmitry Antipov
  0 siblings, 0 replies; 15+ messages in thread
From: Dmitry Antipov @ 2024-11-13 12:45 UTC (permalink / raw)
  To: Miquel Raynal
  Cc: Lizhi Xu, alex.aring, davem, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On 11/13/24 1:58 PM, Miquel Raynal wrote:

>> Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
>> attempt to connect the only device. How this is expected to work if there are
>> more than one device?
> 
> Isn't sdata already specific enough? What do you mean by "device"?

Well, syzbot's reproducer triggers this issue via USB Raw Gadget API. IIUC this
is a debugging feature and it is possible to have the only raw gadget device.
So when running syzbot's reproducer, 'list_count_nodes(&sdata->local->interfaces)'
is always <= 1. But how this is expected to work for >1 case?

Dmitry

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-13 10:29           ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
  2024-11-13 10:58             ` Miquel Raynal
@ 2024-11-14  1:00             ` Lizhi Xu
  2024-11-14  1:17               ` Lizhi Xu
  1 sibling, 1 reply; 15+ messages in thread
From: Lizhi Xu @ 2024-11-14  1:00 UTC (permalink / raw)
  To: dmantipov
  Cc: alex.aring, davem, edumazet, horms, kuba, linux-kernel, linux-usb,
	linux-wpan, lizhi.xu, miquel.raynal, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On Wed, 13 Nov 2024 13:29:55 +0300, Dmitry Antipov wrote:
> On 11/12/24 4:41 PM, Lizhi Xu wrote:
> 
> >   	mutex_lock(&sdata->local->iflist_mtx);
> > +	if (list_empty(&sdata->local->interfaces)) {
> > +		mutex_unlock(&sdata->local->iflist_mtx);
> > +		return;
> > +	}
> >   	list_del_rcu(&sdata->list);
> >   	mutex_unlock(&sdata->local->iflist_mtx);
> 
> Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
> attempt to connect the only device. How this is expected to work if there are
> more than one device?
There are two locks (rtnl and iflist_mtx) to protection and synchronization
local->interfaces, so no need to worry about multiple devices.

Lizhi

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] mac802154: add a check for slave data list before delete
  2024-11-14  1:00             ` Lizhi Xu
@ 2024-11-14  1:17               ` Lizhi Xu
  0 siblings, 0 replies; 15+ messages in thread
From: Lizhi Xu @ 2024-11-14  1:17 UTC (permalink / raw)
  To: lizhi.xu
  Cc: alex.aring, davem, dmantipov, edumazet, horms, kuba, linux-kernel,
	linux-usb, linux-wpan, miquel.raynal, netdev, pabeni, stefan,
	syzbot+985f827280dc3a6e7e92, syzkaller-bugs

On Thu, 14 Nov 2024 09:00:25 +0800, Lizhi Xu wrote:
> On Wed, 13 Nov 2024 13:29:55 +0300, Dmitry Antipov wrote:
> > On 11/12/24 4:41 PM, Lizhi Xu wrote:
> >
> > >   	mutex_lock(&sdata->local->iflist_mtx);
> > > +	if (list_empty(&sdata->local->interfaces)) {
> > > +		mutex_unlock(&sdata->local->iflist_mtx);
> > > +		return;
> > > +	}
> > >   	list_del_rcu(&sdata->list);
> > >   	mutex_unlock(&sdata->local->iflist_mtx);
> >
> > Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
> > attempt to connect the only device. How this is expected to work if there are
> > more than one device?
> There are two locks (rtnl and iflist_mtx) to protection and synchronization
> local->interfaces, so no need to worry about multiple devices.
In other words, this case is a race between removing the 802154 master
and the user sendmsg actively deleting the slave.
Then when the master is removed, there is no need to execute the latter to
remove the slave, because all the slave devices have been deleted when the
master device is removed..

Lizhi

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2024-11-19 10:15 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-06 16:53 [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-08 14:54 ` [PATCH] mac802154: add a check for slave data list before delete Lizhi Xu
2024-11-11 19:46   ` Miquel Raynal
2024-11-12  0:21     ` Lizhi Xu
2024-11-12  4:31       ` [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove syzbot
2024-11-12 11:01       ` [PATCH] mac802154: add a check for slave data list before delete Miquel Raynal
2024-11-12 13:41         ` Lizhi Xu
2024-11-13  8:26           ` Miquel Raynal
2024-11-13  9:51             ` [PATCH V2] mac802154: check local interfaces before deleting sdata list Lizhi Xu
2024-11-19 10:06               ` Stefan Schmidt
2024-11-13 10:29           ` [PATCH] mac802154: add a check for slave data list before delete Dmitry Antipov
2024-11-13 10:58             ` Miquel Raynal
2024-11-13 12:45               ` Dmitry Antipov
2024-11-14  1:00             ` Lizhi Xu
2024-11-14  1:17               ` Lizhi Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).