From: Sabrina Dubroca <sd@queasysnail.net>
To: Stanislav Fomichev <sdf@fomichev.me>
Cc: netdev@vger.kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, andrew+netdev@lunn.ch,
linux-kernel@vger.kernel.org,
syzbot+7e0f89fb6cae5d002de0@syzkaller.appspotmail.com
Subject: Re: [PATCH net] macsec: sync features on RTM_NEWLINK
Date: Wed, 10 Sep 2025 00:11:15 +0200 [thread overview]
Message-ID: <aMCmA0kz7EMG2uCw@krikkit> (raw)
In-Reply-To: <20250908173614.3358264-1-sdf@fomichev.me>
2025-09-08, 10:36:14 -0700, Stanislav Fomichev wrote:
> Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:
>
> netdev_lock include/linux/netdevice.h:2761 [inline]
> netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> netdev_sync_lower_features net/core/dev.c:10649 [inline]
> __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819
> netdev_update_features+0x6d/0xe0 net/core/dev.c:10876
> macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533
> notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
> call_netdevice_notifiers net/core/dev.c:2281 [inline]
> netdev_features_change+0x85/0xc0 net/core/dev.c:1570
> __dev_ethtool net/ethtool/ioctl.c:3469 [inline]
> dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502
> dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759
>
> It happens because lower features are out of sync with the upper:
>
> __dev_ethtool (real_dev)
> netdev_lock_ops(real_dev)
> ETHTOOL_SFEATURES
> __netdev_features_change
> netdev_sync_upper_features
> disable LRO on the lower
> if (old_features != dev->features)
> netdev_features_change
> fires NETDEV_FEAT_CHANGE
> macsec_notify
> NETDEV_FEAT_CHANGE
> netdev_update_features (for each macsec dev)
> netdev_sync_lower_features
> if (upper_features != lower_features)
> netdev_lock_ops(lower) # lower == real_dev
> stuck
> ...
>
> netdev_unlock_ops(real_dev)
>
> Per commit af5f54b0ef9e ("net: Lock lower level devices when updating
> features"), we elide the lock/unlock when the upper and lower features
> are synced. Makes sure the lower (real_dev) has proper features after
> the macsec link has been created. This makes sure we never hit the
> situation where we need to sync upper flags to the lower.
>
> Reported-by: syzbot+7e0f89fb6cae5d002de0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7e0f89fb6cae5d002de0
> Fixes: 7e4d784f5810 ("net: hold netdev instance lock during rtnetlink operations")
> Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
> ---
> drivers/net/macsec.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks for the detailed explanation of the problem.
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2025-09-09 22:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-08 17:36 [PATCH net] macsec: sync features on RTM_NEWLINK Stanislav Fomichev
2025-09-09 22:11 ` Sabrina Dubroca [this message]
2025-09-10 1:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMCmA0kz7EMG2uCw@krikkit \
--to=sd@queasysnail.net \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=syzbot+7e0f89fb6cae5d002de0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).