From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 48/62] gtp: fix bad unlock balance in gtp_encap_enable_socket
Date: Sat, 11 Jan 2020 10:50:30 +0100 [thread overview]
Message-ID: <20200111094852.090050610@linuxfoundation.org> (raw)
In-Reply-To: <20200111094837.425430968@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ]
WARNING: bad unlock balance detected!
5.5.0-rc5-syzkaller #0 Not tainted
-------------------------------------
syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at:
[<ffffffff84bf8506>] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
but there are no more locks to release!
other info that might help us debug this:
2 locks held by syz-executor921/9688:
#0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
#0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421
#1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline]
#1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951
stack backtrace:
CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline]
print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984
__lock_release kernel/locking/lockdep.c:4242 [inline]
lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503
sock_release_ownership include/net/sock.h:1496 [inline]
release_sock+0x17c/0x1c0 net/core/sock.c:2961
gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
gtp_encap_enable drivers/net/gtp.c:852 [inline]
gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666
__rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305
rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363
rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:659
____sys_sendmsg+0x753/0x880 net/socket.c:2330
___sys_sendmsg+0x100/0x170 net/socket.c:2384
__sys_sendmsg+0x105/0x1d0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg net/socket.c:2424 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445d49
Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c
R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf
Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/gtp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -816,7 +816,7 @@ static struct sock *gtp_encap_enable_soc
lock_sock(sock->sk);
if (sock->sk->sk_user_data) {
sk = ERR_PTR(-EBUSY);
- goto out_sock;
+ goto out_rel_sock;
}
sk = sock->sk;
@@ -829,8 +829,9 @@ static struct sock *gtp_encap_enable_soc
setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
-out_sock:
+out_rel_sock:
release_sock(sock->sk);
+out_sock:
sockfd_put(sock);
return sk;
}
next prev parent reply other threads:[~2020-01-11 10:11 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:49 [PATCH 4.14 00/62] 4.14.164-stable review Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 01/62] USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 02/62] USB: dummy-hcd: increase max number of devices to 32 Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 03/62] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 04/62] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 05/62] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 06/62] libtraceevent: Fix lib installation with O= Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 07/62] x86/efi: Update e820 with reserved EFI boot services data to fix kexec breakage Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 08/62] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 09/62] efi/gop: Return EFI_SUCCESS if a usable GOP was found Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 10/62] efi/gop: Fix memory leak in __gop_query32/64() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 11/62] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 12/62] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 13/62] netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 14/62] ARM: dts: Cygnus: Fix MDIO node address/size cells Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 15/62] spi: spi-cavium-thunderx: Add missing pci_release_regions() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 16/62] ASoC: topology: Check return value for soc_tplg_pcm_create() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.14 17/62] ARM: dts: bcm283x: Fix critical trip point Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 18/62] bpf, mips: Limit to 33 tail calls Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 19/62] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 20/62] samples: bpf: Replace symbol compare of trace_event Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 21/62] samples: bpf: fix syscall_tp due to unused syscall Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 22/62] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 23/62] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 24/62] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 25/62] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 26/62] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 27/62] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 28/62] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 29/62] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 30/62] perf/x86/intel: Fix PT PMI handling Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 31/62] fs: avoid softlockups in s_inodes iterators Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 32/62] net: stmmac: Do not accept invalid MTU values Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 33/62] net: stmmac: RX buffer size must be 16 byte aligned Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 34/62] s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 35/62] s390/dasd: fix memleak in path handling error case Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 36/62] block: fix memleak when __blk_rq_map_user_iov() is failed Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 37/62] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 38/62] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 39/62] hv_netvsc: Fix unwanted rx_table reset Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 40/62] bpf: reject passing modified ctx to helper functions Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 41/62] bpf: Fix passing modified ctx to ld/abs/ind instruction Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 42/62] PCI/switchtec: Read all 64 bits of part_event_bitmap Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 43/62] mmc: block: Convert RPMB to a character device Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 44/62] mmc: block: Delete mmc_access_rpmb() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 45/62] mmc: block: Fix bug when removing RPMB chardev Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 46/62] mmc: core: Prevent bus reference leak in mmc_blk_init() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 47/62] mmc: block: propagate correct returned value in mmc_rpmb_ioctl Greg Kroah-Hartman
2020-01-11 9:50 ` Greg Kroah-Hartman [this message]
2020-01-11 9:50 ` [PATCH 4.14 49/62] macvlan: do not assume mac_header is set in macvlan_broadcast() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 50/62] net: dsa: mv88e6xxx: Preserve priority when setting CPU port Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 51/62] net: stmmac: dwmac-sun8i: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 52/62] net: stmmac: dwmac-sunxi: " Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 53/62] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 54/62] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 55/62] USB: core: fix check for duplicate endpoints Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 56/62] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 57/62] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 58/62] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 59/62] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 60/62] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 61/62] net: sch_prio: When ungrafting, replace with FIFO Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.14 62/62] vlan: fix memory leak in vlan_dev_set_egress_priority Greg Kroah-Hartman
2020-01-11 14:55 ` [PATCH 4.14 00/62] 4.14.164-stable review Guenter Roeck
2020-01-11 18:38 ` Naresh Kamboju
2020-01-13 15:47 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094852.090050610@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).