[PATCH 5.9 001/133] net: core: use list_del_init() instead of list_del() in netdev_run_todo()

From: Greg Kroah-Hartman
Date: Mon Nov 09 2020 - 08:15:56 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.9 010/133] drm/i915: Fix TGL DKL PHY DP vswing handling"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 69/85] USB: serial: cyberjack: fix write-URB completion race"
In reply to: Greg Kroah-Hartman: "[PATCH 5.9 000/133] 5.9.7-rc1 review"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.9 010/133] drm/i915: Fix TGL DKL PHY DP vswing handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Taehee Yoo <ap420073@xxxxxxxxx>

commit 0e8b8d6a2d85344d80dda5beadd98f5f86e8d3d3 upstream.

dev->unlink_list is reused unless dev is deleted.
So, list_del() should not be used.
Due to using list_del(), dev->unlink_list can't be reused so that
dev->nested_level update logic doesn't work.
In order to fix this bug, list_del_init() should be used instead
of list_del().

Test commands:
ip link add bond0 type bond
ip link add bond1 type bond
ip link set bond0 master bond1
ip link set bond0 nomaster
ip link set bond1 master bond0
ip link set bond1 nomaster

Splat looks like:
[ 255.750458][ T1030] ============================================
[ 255.751967][ T1030] WARNING: possible recursive locking detected
[ 255.753435][ T1030] 5.9.0-rc8+ #772 Not tainted
[ 255.754553][ T1030] --------------------------------------------
[ 255.756047][ T1030] ip/1030 is trying to acquire lock:
[ 255.757304][ T1030] ffff88811782a280 (&dev_addr_list_lock_key/1){+...}-{2:2}, at: dev_mc_sync_multiple+0xc2/0x150
[ 255.760056][ T1030]
[ 255.760056][ T1030] but task is already holding lock:
[ 255.761862][ T1030] ffff88811130a280 (&dev_addr_list_lock_key/1){+...}-{2:2}, at: bond_enslave+0x3d4d/0x43e0 [bonding]
[ 255.764581][ T1030]
[ 255.764581][ T1030] other info that might help us debug this:
[ 255.766645][ T1030] Possible unsafe locking scenario:
[ 255.766645][ T1030]
[ 255.768566][ T1030] CPU0
[ 255.769415][ T1030] ----
[ 255.770259][ T1030] lock(&dev_addr_list_lock_key/1);
[ 255.771629][ T1030] lock(&dev_addr_list_lock_key/1);
[ 255.772994][ T1030]
[ 255.772994][ T1030] *** DEADLOCK ***
[ 255.772994][ T1030]
[ 255.775091][ T1030] May be due to missing lock nesting notation
[ 255.775091][ T1030]
[ 255.777182][ T1030] 2 locks held by ip/1030:
[ 255.778299][ T1030] #0: ffffffffb1f63250 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x2e4/0x8b0
[ 255.780600][ T1030] #1: ffff88811130a280 (&dev_addr_list_lock_key/1){+...}-{2:2}, at: bond_enslave+0x3d4d/0x43e0 [bonding]
[ 255.783411][ T1030]
[ 255.783411][ T1030] stack backtrace:
[ 255.784874][ T1030] CPU: 7 PID: 1030 Comm: ip Not tainted 5.9.0-rc8+ #772
[ 255.786595][ T1030] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 255.789030][ T1030] Call Trace:
[ 255.789850][ T1030] dump_stack+0x99/0xd0
[ 255.790882][ T1030] __lock_acquire.cold.71+0x166/0x3cc
[ 255.792285][ T1030] ? register_lock_class+0x1a30/0x1a30
[ 255.793619][ T1030] ? rcu_read_lock_sched_held+0x91/0xc0
[ 255.794963][ T1030] ? rcu_read_lock_bh_held+0xa0/0xa0
[ 255.796246][ T1030] lock_acquire+0x1b8/0x850
[ 255.797332][ T1030] ? dev_mc_sync_multiple+0xc2/0x150
[ 255.798624][ T1030] ? bond_enslave+0x3d4d/0x43e0 [bonding]
[ 255.800039][ T1030] ? check_flags+0x50/0x50
[ 255.801143][ T1030] ? lock_contended+0xd80/0xd80
[ 255.802341][ T1030] _raw_spin_lock_nested+0x2e/0x70
[ 255.803592][ T1030] ? dev_mc_sync_multiple+0xc2/0x150
[ 255.804897][ T1030] dev_mc_sync_multiple+0xc2/0x150
[ 255.806168][ T1030] bond_enslave+0x3d58/0x43e0 [bonding]
[ 255.807542][ T1030] ? __lock_acquire+0xe53/0x51b0
[ 255.808824][ T1030] ? bond_update_slave_arr+0xdc0/0xdc0 [bonding]
[ 255.810451][ T1030] ? check_chain_key+0x236/0x5e0
[ 255.811742][ T1030] ? mutex_is_locked+0x13/0x50
[ 255.812910][ T1030] ? rtnl_is_locked+0x11/0x20
[ 255.814061][ T1030] ? netdev_master_upper_dev_get+0xf/0x120
[ 255.815553][ T1030] do_setlink+0x94c/0x3040
[ ... ]

Reported-by: syzbot+4a0f7bc34e3997a6c7df@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 1fc70edb7d7b ("net: core: add nested_level variable in net_device")
Signed-off-by: Taehee Yoo <ap420073@xxxxxxxxx>
Link: https://lore.kernel.org/r/20201015162606.9377-1-ap420073@xxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -10134,7 +10134,7 @@ void netdev_run_todo(void)
struct net_device *dev = list_first_entry(&unlink_list,
struct net_device,
unlink_list);
- list_del(&dev->unlink_list);
+ list_del_init(&dev->unlink_list);
dev->nested_level = dev->lower_level - 1;
}
#endif

Next message: Greg Kroah-Hartman: "[PATCH 5.9 010/133] drm/i915: Fix TGL DKL PHY DP vswing handling"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 69/85] USB: serial: cyberjack: fix write-URB completion race"
In reply to: Greg Kroah-Hartman: "[PATCH 5.9 000/133] 5.9.7-rc1 review"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.9 010/133] drm/i915: Fix TGL DKL PHY DP vswing handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]