linux-kernel - Re: [syzbot] [bluetooth?] [wireless?] WARNING in free

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20250119074808.2137-1-hdanton@sina.com>
Date: Sun, 19 Jan 2025 15:48:07 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+85ff1051228a04613a32@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] [wireless?] WARNING in free_netdev (2)

On Fri, 17 Jan 2025 14:44:19 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    8d20dcda404d selftests: drv-net-hw: inject pp_alloc_fail e..
> git tree:       net-next
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13ffc2b0580000

#syz test

diff -pur p/include/linux/netdevice.h q/include/linux/netdevice.h
--- p/include/linux/netdevice.h	2025-01-19 14:23:21.962713400 +0800
+++ q/include/linux/netdevice.h	2025-01-19 14:44:32.303599900 +0800
@@ -2047,6 +2047,7 @@ enum netdev_reg_state {
  *	FIXME: cleanup struct net_device such that network protocol info
  *	moves out.
  */
+extern unsigned long extra_netdev_locks;
 
 struct net_device {
 	/* Cacheline organization can be found documented in
diff -pur p/net/core/dev.c q/net/core/dev.c
--- p/net/core/dev.c	2025-01-19 14:26:04.863348200 +0800
+++ q/net/core/dev.c	2025-01-19 15:43:55.326734000 +0800
@@ -10269,14 +10269,19 @@ static bool from_cleanup_net(void)
 #endif
 }
 
+unsigned long extra_netdev_locks = 0;
 static void rtnl_drop_if_cleanup_net(void)
 {
+	if (extra_netdev_locks)
+		return;
 	if (from_cleanup_net())
 		__rtnl_unlock();
 }
 
 static void rtnl_acquire_if_cleanup_net(void)
 {
+	if (extra_netdev_locks)
+		return;
 	if (from_cleanup_net())
 		rtnl_lock();
 }
@@ -11606,8 +11611,6 @@ void free_netdev(struct net_device *dev)
 		return;
 	}
 
-	mutex_destroy(&dev->lock);
-
 	kfree(dev->ethtool);
 	netif_free_tx_queues(dev);
 	netif_free_rx_queues(dev);
diff -pur p/net/wireless/core.c q/net/wireless/core.c
--- p/net/wireless/core.c	2025-01-19 14:29:30.497265000 +0800
+++ q/net/wireless/core.c	2025-01-19 14:40:07.687903000 +0800
@@ -1247,8 +1247,11 @@ static void _cfg80211_unregister_wdev(st
 
 	if (wdev->netdev) {
 		sysfs_remove_link(&wdev->netdev->dev.kobj, "phy80211");
-		if (unregister_netdev)
+		if (unregister_netdev) {
+			extra_netdev_locks++;
 			unregister_netdevice(wdev->netdev);
+			extra_netdev_locks--;
+		}
 	}
 
 	list_del_rcu(&wdev->list);
--