Re: [PATCH net-next] net: dev_addr_lists: don't WARN on GFP_ATOMIC kmalloc failure in netif_rx_mode_run

[Jiayuan Chen]

On Tue, May 19, 2026 at 02:11:53PM +0800, Zijing yin wrote:
> Thank you so much for the feedback! I will address these comments in the 
> next version. This is not found by syzbot by the way.

There has the a syzbot report now:
https://syzkaller.appspot.com/bug?extid=f2421634072a4b47071e

> 
> Hope you have a great day!
> 
> On 19.05.2026 13:22, Jakub Sitnicki wrote:
> > On Tue, May 19, 2026 at 02:55 AM -07, Zijing Yin wrote:
> >> netif_rx_mode_run() fires netdev_WARN() when netif_addr_lists_snapshot()
> >> returns non-zero. The only path to a non-zero return is -ENOMEM from
> >> __hw_addr_create() failing its kmalloc(GFP_ATOMIC) -- syzkaller hits it
> >> via failslab, and it can also be reached under real memory pressure.
> >>
> >> This is the only allocator-failure site in this file that WARNs.
> >> __hw_addr_create() itself, and every other caller of it in this file
> >> (__hw_addr_add_ex(), dev_uc_add_excl(), dev_uc_add(), dev_mc_add(), ...)
> >> just propagate the -ENOMEM silently. GFP_ATOMIC is a may-fail allocator;
> >> callers are required to handle NULL, so a returned -ENOMEM here is an
> >> expected runtime condition, not an invariant violation.
> >>
> >> The miss is self-healing: any subsequent change to dev->uc / dev->mc
> >> (every dev_{uc,mc}_{add,del}, IFF_PROMISC flip, etc.) calls
> >> __dev_set_rx_mode() -> netif_rx_mode_queue(), which re-queues the device
> >> and retries the sync. The only cost of a failed attempt is one stale
> >> rx-mode window until the next update; nothing in the kernel relies on
> >> this attempt succeeding.
> >>
> >> Demote to net_err_ratelimited() so the condition stays observable in
> >> dmesg without tripping panic_on_warn.
> >>
> >> Reproducer (syzkaller .prog format with setup notes): 
> >> https://pastebin.com/t7AQKx9v
> >>
> >> Fixes: 3554b4345d85 ("net: introduce ndo_set_rx_mode_async and netdev_rx_mode_work")
> >> Signed-off-by: Zijing Yin <yzjaurora@xxxxxxxxx>
> >> ---
> >>  net/core/dev_addr_lists.c | 3 ++-
> >>  1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
> >> index d73fcb0c6..c6fdcac74 100644
> >> --- a/net/core/dev_addr_lists.c
> >> +++ b/net/core/dev_addr_lists.c
> >> @@ -1275,7 +1275,8 @@ static void netif_rx_mode_run(struct net_device *dev)
> >>  		err = netif_addr_lists_snapshot(dev, &uc_snap, &mc_snap,
> >>  						&uc_ref, &mc_ref);
> >>  		if (err) {
> >> -			netdev_WARN(dev, "failed to sync uc/mc addresses\n");
> >> +			net_err_ratelimited("%s: failed to sync uc/mc addresses\n",
> >> +					    netdev_name(dev));
> >>  			netif_addr_unlock_bh(dev);
> >>  			return;
> >>  		}
> > 
> > 1) I'd go with net_warn_ratelimited() instead. The promoted message
> > level in syslog might cause operational pain, and as you say the
> > condition is self-healing. Seems unwarranted.
> > 
> > 2) Since it has a Fixes tag, should probably be sumitted for 'net' tree.
> > 
> > 3) Was this reported by syzbot? If so, there should also be Reported-by
> > and Closes tags.
>