Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1773921ybl; Sat, 11 Jan 2020 02:32:46 -0800 (PST) X-Google-Smtp-Source: APXvYqzNAjXqY6ntV2ifdmH+t7LCp+N9cuhQcfbLT4jvYLNNpZtGqlKivRAtsQr1BQQ5+i/5Aame X-Received: by 2002:a9d:24ea:: with SMTP id z97mr6389978ota.345.1578738766608; Sat, 11 Jan 2020 02:32:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578738766; cv=none; d=google.com; s=arc-20160816; b=euYA8z8k1MX7GpzVuCTpkSymJMBYN7wuWYSY9VZZq2IcSxGUjx591GEWE031d+1AJV XQvlGCidWqQSeCBMiP/kJkVE/8p7XEj0gZCj/I2QbwfTCO63uf0roVRFA/SIph8vVAOV m7nTFnid+VreQxPDXFJ2knbtym1/M2BQ1xdH19N2kuISMP4+fA0I9XxEP37WM1iC7lko xdTCalyBTZ97pRab1XFTHCuomUQLXhMMYQPWXpXfzZYnzPUjFhz7slM09UtuAxbce5He aFXheQpia86tq4YQACb/7T+k+zCLyZC6LXtG0MK+OGUBu7ZWt3dPgv5QvAy6MaVGSjX5 9m/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8Xuf1Ey3BvyAQdsMBbJiGae+CKuNrQDJ078Fo7Druy8=; b=ybYgIkHiEoce1oqvSD3k/NjdggbBCbhqbHaH/t8dXq3Plc5PJRDHe/nXHEINYbXkm4 GOagsgigvjyj57nZWKivJQrrElHVMjMkr6yYwYI3LBSObKoGaagopFUE7ciRBBel39AA WKVMvZclxcXxCgWFhNHCvGFjfOCpwtBbTehsQz7m/n2u6iO6qwfi9tSol00GIxl3e1ah flKtER99+1Dupn37C28SNyNxH21Uj5p03rEqkR8UZCTk8CkHrUqc4ssVYOusOP7rqV4U rI9/dOBOW0vObUkIWBahiNxbjDBbtK4o45Gw5tb3kAkweMFMMMYp+SxZVvJufBCBjeOY czOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1xNUnTAL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e73si2943125oib.145.2020.01.11.02.32.35; Sat, 11 Jan 2020 02:32:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1xNUnTAL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731180AbgAKKbl (ORCPT + 99 others); Sat, 11 Jan 2020 05:31:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:43602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728919AbgAKKbl (ORCPT ); Sat, 11 Jan 2020 05:31:41 -0500 Received: from localhost (unknown [62.119.166.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C2DEB20678; Sat, 11 Jan 2020 10:31:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578738700; bh=K/FnqOrzPxXzd8Cy29EfUt4mTxgmx4R4v4ePT54WymU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1xNUnTALHSeWicej83hfCeVRv+3IEdVYaqGdZ9NBjjlE+/ZGw5i9lftBdWDGi92mL L9+a+QQXtAaUAPCAxFRw15wp+G3uDHgMgz5ToTO7SiDpitKpNEwney8+Mq3jgnZvVu hvVlyEg0pUccSMRekH6ZnTJPW5lHoHrnJ0seJYCU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Taehee Yoo , "David S. Miller" Subject: [PATCH 5.4 138/165] gtp: fix bad unlock balance in gtp_encap_enable_socket Date: Sat, 11 Jan 2020 10:50:57 +0100 Message-Id: <20200111094937.659697179@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200111094921.347491861@linuxfoundation.org> References: <20200111094921.347491861@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ] WARNING: bad unlock balance detected! 5.5.0-rc5-syzkaller #0 Not tainted ------------------------------------- syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at: [] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor921/9688: #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421 #1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline] #1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951 stack backtrace: CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline] print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984 __lock_release kernel/locking/lockdep.c:4242 [inline] lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503 sock_release_ownership include/net/sock.h:1496 [inline] release_sock+0x17c/0x1c0 net/core/sock.c:2961 gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 gtp_encap_enable drivers/net/gtp.c:852 [inline] gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666 __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305 rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:659 ____sys_sendmsg+0x753/0x880 net/socket.c:2330 ___sys_sendmsg+0x100/0x170 net/socket.c:2384 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445d49 Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/gtp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -813,7 +813,7 @@ static struct sock *gtp_encap_enable_soc lock_sock(sock->sk); if (sock->sk->sk_user_data) { sk = ERR_PTR(-EBUSY); - goto out_sock; + goto out_rel_sock; } sk = sock->sk; @@ -826,8 +826,9 @@ static struct sock *gtp_encap_enable_soc setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); -out_sock: +out_rel_sock: release_sock(sock->sk); +out_sock: sockfd_put(sock); return sk; }