Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2730877imj; Mon, 11 Feb 2019 07:38:54 -0800 (PST) X-Google-Smtp-Source: AHgI3IbnoOrdPNX2LCJfZfdVGnFWq5xBC3lzlEuAEH2hf0c7tOcKJuy/gLMS3XGF2Ttc6S+FkR/n X-Received: by 2002:a62:53c5:: with SMTP id h188mr36673301pfb.190.1549899534865; Mon, 11 Feb 2019 07:38:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549899534; cv=none; d=google.com; s=arc-20160816; b=U9CeLLM/wt/I4PBm84MDrjFGdrAJ0c8K3TVZGQz/63xDvKUKVDXF9NogPwsXUP9tjf dzS9ICw/pTyLwALfT3x+BFM/Xv2Py86ze+fIsZkJzySSoOVOjstdqPD1BTiAGtsikGno T8sxbgaCLxi/CLfvDpaiu/AhB0HfQj3gMyXSLndT/HlIU1kK8GQlmdW+0idP9TqvMSP/ CPq9nixsdPeKTr0Lt8I7BGlObiVLKYbX3Qkd58AypJdJRHl3LeZ0v3Emwvtnl+8uWe0M 6U1iOn+dXfNkNkGIWDYJPo45xGZAJ6gEaLXw2QnefBT7a1afHxDWfmKj+vaqSPakWDk3 bLeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NhPrr6eNyXNbxwphMXDRfwyyiBNbQZNjdAMiEJ6c0w0=; b=RxTu6q0o3i3CoAqo4edy5wmdYyzndsqxsZ+SH6bkBWpWM18gIvtVkgtFcXG5FfvoHK sr5SfHQTBNaKwcyUAeI/SEmOm8r4LttXro+PUPsbhwncQTEevvnWY068kOBiFGgHDDIJ TurQCVIt5YWqulcUV1WfkaPb3klJ1wZYIaHB27G9HvBGTzReUXpkmRTyws/J8J8Zf9rg 4SDrhb6tjYlFHB3d9h7RPISK4drrRFa0cayVF5vUKlIJLJM6SXgNs4S+oT33t3w2CNmY y/07zl6bJRmn16l0xyd4Og6P52Ybpr9lK1ZBEVBkjoiw1pmHjpbbrx2z2DjK8bHKFYQr 86Qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fbKc0NLi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l15si9035629pff.206.2019.02.11.07.38.36; Mon, 11 Feb 2019 07:38:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fbKc0NLi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388322AbfBKOvq (ORCPT + 99 others); Mon, 11 Feb 2019 09:51:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:37750 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731064AbfBKOvi (ORCPT ); Mon, 11 Feb 2019 09:51:38 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7222020700; Mon, 11 Feb 2019 14:51:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549896697; bh=7OZvZKgwwRbx90DDb0Jf6lCV2Z71ECppwa52SnoAMDc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fbKc0NLimICP838mPn/FBICQs8HivPh7M5I/QY4cYlqiWq/qnJqDn4phG8L3OelbZ 6rARcs5l/OWo4z5pbhVEM53LHIcp6e/hx0j/YhK1M7E/R9Qz/qdiizZTtYTD/dj6O4 e8o+2ZronKFDRrRYlElS+pHlToGHKbbYeZYwcUNI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , David Howells , syzbot , "David S. Miller" Subject: [PATCH 4.19 271/313] rxrpc: bad unlock balance in rxrpc_recvmsg Date: Mon, 11 Feb 2019 15:19:11 +0100 Message-Id: <20190211141911.396700114@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190211141852.749630980@linuxfoundation.org> References: <20190211141852.749630980@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit 6dce3c20ac429e7a651d728e375853370c796e8d ] When either "goto wait_interrupted;" or "goto wait_error;" paths are taken, socket lock has already been released. This patch fixes following syzbot splat : WARNING: bad unlock balance detected! 5.0.0-rc4+ #59 Not tainted ------------------------------------- syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at: [] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor223/8256: #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798 stack backtrace: CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline] print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368 __lock_release kernel/locking/lockdep.c:3601 [inline] lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860 sock_release_ownership include/net/sock.h:1471 [inline] release_sock+0x183/0x1c0 net/core/sock.c:2808 rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg net/socket.c:801 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:797 __sys_recvfrom+0x1ff/0x350 net/socket.c:1845 __do_sys_recvfrom net/socket.c:1863 [inline] __se_sys_recvfrom net/socket.c:1859 [inline] __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446379 Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Signed-off-by: Eric Dumazet Cc: David Howells Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/recvmsg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -596,6 +596,7 @@ error_requeue_call: } error_no_call: release_sock(&rx->sk); +error_trace: trace_rxrpc_recvmsg(call, rxrpc_recvmsg_return, 0, 0, 0, ret); return ret; @@ -604,7 +605,7 @@ wait_interrupted: wait_error: finish_wait(sk_sleep(&rx->sk), &wait); call = NULL; - goto error_no_call; + goto error_trace; } /**