syzbot
2023-Jun-10 01:34 UTC
[Bridge] [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8)
Hello, syzbot found the following issue on: HEAD commit: 67faabbde36b selftests/bpf: Add missing prototypes for sev.. git tree: bpf-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=1381363b280000 kernel config: https://syzkaller.appspot.com/x/.config?x=5335204dcdecfda dashboard link: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132faf93280000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10532add280000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/751a0490d875/disk-67faabbd.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/2c5106cd9f1f/vmlinux-67faabbd.xz kernel image: https://storage.googleapis.com/syzbot-assets/62c1154294e4/bzImage-67faabbd.xz The issue was bisected to: commit ad2f99aedf8fa77f3ae647153284fa63c43d3055 Author: Arnd Bergmann <arnd at arndb.de> Date: Tue Jul 27 13:45:16 2021 +0000 net: bridge: move bridge ioctls out of .ndo_do_ioctl bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=146de6f1280000 final oops: https://syzkaller.appspot.com/x/report.txt?x=166de6f1280000 console output: https://syzkaller.appspot.com/x/log.txt?x=126de6f1280000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+881d65229ca4f9ae8c84 at syzkaller.appspotmail.com Fixes: ad2f99aedf8f ("net: bridge: move bridge ioctls out of .ndo_do_ioctl") unregister_netdevice: waiting for bridge0 to become free. Usage count = 2 leaked reference. __netdev_tracker_alloc include/linux/netdevice.h:4070 [inline] netdev_hold include/linux/netdevice.h:4099 [inline] dev_ifsioc+0xbc0/0xeb0 net/core/dev_ioctl.c:408 dev_ioctl+0x250/0x1090 net/core/dev_ioctl.c:605 sock_do_ioctl+0x15a/0x230 net/socket.c:1215 sock_ioctl+0x1f8/0x680 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection If the bug is already fixed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to change bug's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the bug is a duplicate of another bug, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
Ziqi Zhao
2023-Jun-21 07:07 UTC
[Bridge] [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8)
Hi all, I'm taking a look at this bug as part of the exercice for the Linux Kernel Bug Fixing Summer 2023 program. Thanks to the help from my mentor, Ivan Orlov and Shuah Khan, I've already obtained a reproduction of the issue using the provided C reproducer, and I should be able to submit a patch by the end of this week to fix the highlighted error. If you have any information or suggestions, please feel free to reply to this thread. Any help would be greatly appreciated! Best regards, Ziqi
Ziqi Zhao
2023-Aug-19 08:10 UTC
[Bridge] [PATCH] net: bridge: Fix refcnt issues in dev_ioctl
In the bug reported by Syzbot, certain bridge devices would have a leaked reference created by race conditions in dev_ioctl, specifically, under SIOCBRADDIF or SIOCBRDELIF operations. The reference leak would be shown in the periodic unregister_netdevice call, which throws a warning and cause Syzbot to report a crash. Upon inspection of the logic in dev_ioctl, it seems the reference was introduced to ensure proper access to the bridge device after rtnl_unlock. and the latter function is necessary to maintain the following lock order in any bridge related ioctl calls: 1) br_ioctl_mutex => 2) rtnl_lock Conceptually, though, br_ioctl_mutex could be considered more specific than rtnl_lock given their usages, hence swapping their order would be a reasonable proposal. This patch changes all related call sites to maintain the reversed order of the two locks: 1) rtnl_lock => 2) br_ioctl_mutex By doing so, the extra reference introduced in dev_ioctl is no longer needed, and hence the reference leak bug is now resolved. Reported-by: syzbot+881d65229ca4f9ae8c84 at syzkaller.appspotmail.com Fixes: ad2f99aedf8f ("net: bridge: move bridge ioctls out of .ndo_do_ioctl") Signed-off-by: Ziqi Zhao <astrajoan at yahoo.com> --- net/bridge/br_ioctl.c | 4 ---- net/core/dev_ioctl.c | 8 +------- net/socket.c | 2 ++ 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..291dbc5d2a99 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -399,8 +399,6 @@ int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, { int ret = -EOPNOTSUPP; - rtnl_lock(); - switch (cmd) { case SIOCGIFBR: case SIOCSIFBR: @@ -434,7 +432,5 @@ int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, break; } - rtnl_unlock(); - return ret; } diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index 3730945ee294..17df956df8cb 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -336,7 +336,6 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, int err; struct net_device *dev = __dev_get_by_name(net, ifr->ifr_name); const struct net_device_ops *ops; - netdevice_tracker dev_tracker; if (!dev) return -ENODEV; @@ -405,12 +404,7 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, return -ENODEV; if (!netif_is_bridge_master(dev)) return -EOPNOTSUPP; - netdev_hold(dev, &dev_tracker, GFP_KERNEL); - rtnl_unlock(); - err = br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL); - netdev_put(dev, &dev_tracker); - rtnl_lock(); - return err; + return br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL); case SIOCDEVPRIVATE ... SIOCDEVPRIVATE + 15: return dev_siocdevprivate(dev, ifr, data, cmd); diff --git a/net/socket.c b/net/socket.c index 2b0e54b2405c..6b7a9df9a326 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1258,7 +1258,9 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) case SIOCSIFBR: case SIOCBRADDBR: case SIOCBRDELBR: + rtnl_lock(); err = br_ioctl_call(net, NULL, cmd, NULL, argp); + rtnl_unlock(); break; case SIOCGIFVLAN: case SIOCSIFVLAN: -- 2.34.1