From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 66/84] gtp: fix bad unlock balance in gtp_encap_enable_socket
Date: Sat, 11 Jan 2020 10:50:43 +0100 [thread overview]
Message-ID: <20200111094910.533184272@linuxfoundation.org> (raw)
In-Reply-To: <20200111094845.328046411@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ]
WARNING: bad unlock balance detected!
5.5.0-rc5-syzkaller #0 Not tainted
-------------------------------------
syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at:
[<ffffffff84bf8506>] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
but there are no more locks to release!
other info that might help us debug this:
2 locks held by syz-executor921/9688:
#0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
#0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421
#1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline]
#1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951
stack backtrace:
CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline]
print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984
__lock_release kernel/locking/lockdep.c:4242 [inline]
lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503
sock_release_ownership include/net/sock.h:1496 [inline]
release_sock+0x17c/0x1c0 net/core/sock.c:2961
gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
gtp_encap_enable drivers/net/gtp.c:852 [inline]
gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666
__rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305
rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363
rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:659
____sys_sendmsg+0x753/0x880 net/socket.c:2330
___sys_sendmsg+0x100/0x170 net/socket.c:2384
__sys_sendmsg+0x105/0x1d0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg net/socket.c:2424 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445d49
Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c
R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf
Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/gtp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -818,7 +818,7 @@ static struct sock *gtp_encap_enable_soc
lock_sock(sock->sk);
if (sock->sk->sk_user_data) {
sk = ERR_PTR(-EBUSY);
- goto out_sock;
+ goto out_rel_sock;
}
sk = sock->sk;
@@ -831,8 +831,9 @@ static struct sock *gtp_encap_enable_soc
setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
-out_sock:
+out_rel_sock:
release_sock(sock->sk);
+out_sock:
sockfd_put(sock);
return sk;
}
next prev parent reply other threads:[~2020-01-11 10:19 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:49 [PATCH 4.19 00/84] 4.19.95-stable review Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 01/84] USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 02/84] USB: dummy-hcd: increase max number of devices to 32 Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 03/84] bpf: Fix passing modified ctx to ld/abs/ind instruction Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 04/84] regulator: fix use after free issue Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 05/84] ASoC: max98090: fix possible race conditions Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 06/84] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 07/84] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 08/84] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 09/84] libtraceevent: Fix lib installation with O= Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 10/84] x86/efi: Update e820 with reserved EFI boot services data to fix kexec breakage Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 11/84] ASoC: Intel: bytcr_rt5640: Update quirk for Teclast X89 Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 12/84] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 13/84] efi/gop: Return EFI_SUCCESS if a usable GOP was found Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 14/84] efi/gop: Fix memory leak in __gop_query32/64() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 15/84] ARM: dts: imx6ul: imx6ul-14x14-evk.dtsi: Fix SPI NOR probing Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 16/84] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 17/84] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 18/84] netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 19/84] netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 20/84] netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 21/84] ARM: dts: BCM5301X: Fix MDIO node address/size cells Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.19 22/84] selftests/ftrace: Fix multiple kprobe testcase Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 23/84] ARM: dts: Cygnus: Fix MDIO node address/size cells Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 24/84] spi: spi-cavium-thunderx: Add missing pci_release_regions() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 25/84] ASoC: topology: Check return value for soc_tplg_pcm_create() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 26/84] ARM: dts: bcm283x: Fix critical trip point Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 27/84] bnxt_en: Return error if FW returns more data than dump length Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 28/84] bpf, mips: Limit to 33 tail calls Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 29/84] spi: spi-ti-qspi: Fix a bug when accessing non default CS Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 30/84] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 31/84] samples: bpf: Replace symbol compare of trace_event Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 32/84] samples: bpf: fix syscall_tp due to unused syscall Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 33/84] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 34/84] btrfs: Fix error messages in qgroup_rescan_init Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 35/84] bpf: Clear skb->tstamp in bpf_redirect when necessary Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 36/84] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 37/84] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 38/84] cxgb4: Fix kernel panic while accessing sge_info Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 39/84] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 40/84] parisc: add missing __init annotation Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 41/84] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-13 8:08 ` Pavel Machek
2020-01-11 9:50 ` [PATCH 4.19 42/84] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 43/84] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 44/84] iommu/iova: Init the struct iova to fix the possible memleak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 45/84] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 46/84] perf/x86/intel: Fix PT PMI handling Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 47/84] fs: avoid softlockups in s_inodes iterators Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 48/84] net: stmmac: Do not accept invalid MTU values Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 49/84] net: stmmac: xgmac: Clear previous RX buffer size Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 50/84] net: stmmac: RX buffer size must be 16 byte aligned Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 51/84] net: stmmac: Always arm TX Timer at end of transmission start Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 52/84] s390/purgatory: do not build purgatory with kcov, kasan and friends Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 53/84] drm/exynos: gsc: add missed component_del Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 54/84] s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 55/84] s390/dasd: fix memleak in path handling error case Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 56/84] block: fix memleak when __blk_rq_map_user_iov() is failed Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 57/84] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 58/84] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 59/84] hv_netvsc: Fix unwanted rx_table reset Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 60/84] powerpc/vcpu: Assume dedicated processors as non-preempt Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 61/84] powerpc/spinlocks: Include correct header for static key Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 62/84] cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 63/84] ARM: dts: imx6ul: use nvmem-cells for cpu speed grading Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 64/84] PCI/switchtec: Read all 64 bits of part_event_bitmap Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 65/84] arm64: KVM: Trap VM ops when ARM64_WORKAROUND_CAVIUM_TX2_219_TVM is set Greg Kroah-Hartman
2020-01-11 12:30 ` Naresh Kamboju
2020-01-11 17:44 ` Greg Kroah-Hartman
2020-01-11 9:50 ` Greg Kroah-Hartman [this message]
2020-01-11 9:50 ` [PATCH 4.19 67/84] macvlan: do not assume mac_header is set in macvlan_broadcast() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 68/84] net: dsa: mv88e6xxx: Preserve priority when setting CPU port Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 69/84] net: stmmac: dwmac-sun8i: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 70/84] net: stmmac: dwmac-sunxi: " Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 71/84] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 72/84] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 73/84] sch_cake: avoid possible divide by zero in cake_enqueue() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 74/84] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 75/84] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 76/84] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 77/84] vlan: fix memory leak in vlan_dev_set_egress_priority Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 78/84] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 79/84] mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 80/84] net: sch_prio: When ungrafting, replace with FIFO Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 81/84] usb: dwc3: gadget: Fix request complete check Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.19 82/84] USB: core: fix check for duplicate endpoints Greg Kroah-Hartman
2020-01-11 9:51 ` [PATCH 4.19 83/84] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 9:51 ` [PATCH 4.19 84/84] usb: missing parentheses in USE_NEW_SCHEME Greg Kroah-Hartman
2020-01-11 16:02 ` [PATCH 4.19 00/84] 4.19.95-stable review Guenter Roeck
2020-01-11 17:47 ` Greg Kroah-Hartman
2020-01-11 20:10 ` Guenter Roeck
2020-01-11 20:41 ` Greg Kroah-Hartman
2020-01-12 4:57 ` Naresh Kamboju
2020-01-12 8:14 ` Greg Kroah-Hartman
2020-01-13 15:48 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094910.533184272@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).