From patchwork Thu Nov 3 03:21:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 690653 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3t8Vcq2JNvz9t0m for ; Thu, 3 Nov 2016 14:21:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=hAwebD7u; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751299AbcKCDVZ (ORCPT ); Wed, 2 Nov 2016 23:21:25 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:35447 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750762AbcKCDVX (ORCPT ); Wed, 2 Nov 2016 23:21:23 -0400 Received: by mail-pf0-f196.google.com with SMTP id i88so3415492pfk.2; Wed, 02 Nov 2016 20:21:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=DFsnGI5v1NANF4SDjQUpQwh7X6UWa/AmodlKaXIfr2M=; b=hAwebD7u8WTpKXcTMo3jE+/RgoA8R95L34myjNKDMag5DlanoUOSTFpEyPdN4vClR6 h0Y2pKEyY18NbAzOQfBpxppjJ1wismpmmeRiPEB7W8JGyImqgUWOCX9tl2xyGmDX9UA2 nkp3SEaI+PY4rao8PwwAqO2ubZ7+tDu6uzoCSthSu292KCDskSFRhjZnWkz5QFoJPJhX OHMbiAJdaMOaI6vUcQ1YV0HNN2fXA2r3m5LnhzD8Y1PkO0w6INJUpY4djSlALOWLJa/p 6iEK6lol6tESl4TzFZAZ3xJpAMswYASJP1aOHfyrof1dVmhbErwsPQ3mYTaBa08ZUfT7 HU5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=DFsnGI5v1NANF4SDjQUpQwh7X6UWa/AmodlKaXIfr2M=; b=ddlYGK2dqavdhSAxUSZqKkjTpuJohWTGSc234LIGO70nbPv2FvVX7xSY9lgyc7BHvu +TfhDhzEtAX0CyPj5Ff2eTtgRy6KGX0O2X8h2rvD2Epqd/HSVaqOLrAvEGB2pwzlvfFK Eq+t0SpWASn0kSeXOy/KrdhoA5Vrx8a/D5/PXQjZLj/Y4BGz/FqRDLBAg7y2wlO0ynjR KC5Z7xbpfwXTMte5/0c/9H4XymLyfkwqpIg9LDkCnBaWmFH8DF5AHUT0z0QA69jSbSn8 Y8H4pfvW6k4dThiUCkxPjNNJQoJ88h8Ptw8c8g8tWK3AHM/mfvVLnUzkmRSP4IbAtAPR faeA== X-Gm-Message-State: ABUngvd3a3k7N1+iO6LWvxykXJnAU53spGD7qC8kg0+JXzvH/uW56VEtoo5woEOjTtc8wQ== X-Received: by 10.99.124.20 with SMTP id x20mr10616123pgc.60.1478143282573; Wed, 02 Nov 2016 20:21:22 -0700 (PDT) Received: from [172.29.161.156] ([172.29.161.156]) by smtp.googlemail.com with ESMTPSA id a7sm7950670pan.34.2016.11.02.20.21.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Nov 2016 20:21:22 -0700 (PDT) Message-ID: <1478143280.7065.427.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] netlink: netlink_diag_dump() runs without locks From: Eric Dumazet To: Andrey Konovalov Cc: Herbert Xu , Andrew Morton , David Decotigny , "David S. Miller" , Dmitry Ivanov , Eric Dumazet , Florian Westphal , Greg Rose , Johannes Berg , Matti Vaittinen , Pravin B Shelar , stephen hemminger , Tom Herbert , Tycho Andersen , LKML , netdev , syzkaller , Kostya Serebryany , Alexander Potapenko , Dmitry Vyukov Date: Wed, 02 Nov 2016 20:21:20 -0700 In-Reply-To: References: <1478141906.7065.421.camel@edumazet-glaptop3.roam.corp.google.com> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet A recent commit removed locking from netlink_diag_dump() but forgot one error case. ===================================== [ BUG: bad unlock balance detected! ] 4.9.0-rc3+ #336 Not tainted ------------------------------------- syz-executor/4018 is trying to release lock ([ 36.220068] nl_table_lock ) at: [] netlink_diag_dump+0x1a3/0x250 net/netlink/diag.c:182 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor/4018: #0: [ 36.220068] ( sock_diag_mutex[ 36.220068] ){+.+.+.} , at: [ 36.220068] [] sock_diag_rcv+0x1b/0x40 #1: [ 36.220068] ( sock_diag_table_mutex[ 36.220068] ){+.+.+.} , at: [ 36.220068] [] sock_diag_rcv_msg+0x140/0x3a0 #2: [ 36.220068] ( nlk->cb_mutex[ 36.220068] ){+.+.+.} , at: [ 36.220068] [] netlink_dump+0x50/0xac0 stack backtrace: CPU: 1 PID: 4018 Comm: syz-executor Not tainted 4.9.0-rc3+ #336 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff8800645df688 ffffffff81b46934 ffffffff84eb3e78 ffff88006ad85800 ffffffff82dc8683 ffffffff84eb3e78 ffff8800645df6b8 ffffffff812043ca dffffc0000000000 ffff88006ad85ff8 ffff88006ad85fd0 00000000ffffffff Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x17a/0x1a0 kernel/locking/lockdep.c:3388 [< inline >] __lock_release kernel/locking/lockdep.c:3512 [] lock_release+0x8e8/0xc60 kernel/locking/lockdep.c:3765 [< inline >] __raw_read_unlock ./include/linux/rwlock_api_smp.h:225 [] _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255 [] netlink_diag_dump+0x1a3/0x250 net/netlink/diag.c:182 [] netlink_dump+0x397/0xac0 net/netlink/af_netlink.c:2110 Fixes: ad202074320c ("netlink: Use rhashtable walk interface in diag dump") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov --- net/netlink/diag.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/netlink/diag.c b/net/netlink/diag.c index b2f0e986a6f4..a5546249fb10 100644 --- a/net/netlink/diag.c +++ b/net/netlink/diag.c @@ -178,11 +178,8 @@ static int netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) } cb->args[1] = i; } else { - if (req->sdiag_protocol >= MAX_LINKS) { - read_unlock(&nl_table_lock); - rcu_read_unlock(); + if (req->sdiag_protocol >= MAX_LINKS) return -ENOENT; - } err = __netlink_diag_dump(skb, cb, req->sdiag_protocol, s_num); }