Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2934284ybk; Mon, 18 May 2020 11:28:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzI73wmLaaF72soAY938BDQ9DJST1xng2cSEJCNiD2RkrhGWyLyJGcHc0gn9npGsjSvYgyl X-Received: by 2002:a50:f182:: with SMTP id x2mr14177802edl.336.1589826507340; Mon, 18 May 2020 11:28:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589826507; cv=none; d=google.com; s=arc-20160816; b=s4zfWHMQGnVWb1ALty3u5uysQ1HfZF9ckSJnfmfwJ+Wp91sODkjGdAO115zCwYrOzi KC5qSgr5oXKx/loiMp5oNAlUpCsl0iaoh/v89uOwjfL/AP123MXb0kvQ+QUN/mLDr+SQ y9cDWOUYqU5KnUR67foB3E2KODw06f9yY38Wq+rlggDYOaDgEhJ7q/z4jna3dM7Ml26F jRpDs8NeiNevnWFLPzcsq1VEMk/xlqDx+SYc+TUbOS2eSCIjiJGvB/j49Usn3YQDEOyh SuzzhiGWDr+8v1I9/I+YTQsQUlH19FtWYTb/SW80BxC7UVidfi9N4k0quuOSazneYCwX dcmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=785SBmBXheYL3zkbrE11jqs8uk/xRmrWoR3XnMqOnew=; b=ghsvBJBtN1GZ/O4fjaTZU32zCeyJnqgvV/x1eAeyKqKeZhLog3jxEzsyc/HWRl6GNo DGFq2K1Vs6LOpggCl5HZc2LNyRYetMu5bam2hXY9MO/MbUIaUQIWDNzWIkZBc/ZqkDx5 l+B30S9PEiNrlsT0vLFnQjhF9b2+uhgqBkG3revjzGoCcKvztWu4qUnEMBV513X86qh8 MYyI13HWgRiKWQtvCtM5mg42Pk3Ow+XZ55tq55hNecKK1JvMp8sJ9TdESUYbQ5Dqntv0 SxSdr7byUxK1kiyhryCVktzV4yOoi/OmFHzkRQQhUawN+K43Ql87Zf3ibopzJnlOKcaF W15g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=g9f8ix8Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w19si4159987edx.164.2020.05.18.11.28.04; Mon, 18 May 2020 11:28:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=g9f8ix8Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729975AbgERRpj (ORCPT + 99 others); Mon, 18 May 2020 13:45:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:44344 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729930AbgERRpa (ORCPT ); Mon, 18 May 2020 13:45:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 744BB20657; Mon, 18 May 2020 17:45:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589823930; bh=SxwLSk3uZevJ8oYo9YJfEefOaMoVzDApfnytjn6DlrQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g9f8ix8ZVivIeXYRcTjCL2ltB9IgnooaPe/tidA5oOPtkQyQpsr6myeZAEMdnrEH/ +lZpeDX6tBfCbI7wSZfWvMKqjpyZkIOAg/kLOCLOApgmbG2GaEgQ1id5xeAakB0cxO FxIC2i+L0rXoS7LPNhGYj7+oQVRALFnNFqJW28pA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com, syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com, Jarod Wilson , Nikolay Aleksandrov , Josh Poimboeuf , Jann Horn , Jay Vosburgh , Cong Wang , "David S. Miller" Subject: [PATCH 4.9 68/90] net: fix a potential recursive NETDEV_FEAT_CHANGE Date: Mon, 18 May 2020 19:36:46 +0200 Message-Id: <20200518173505.049325848@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.930655662@linuxfoundation.org> References: <20200518173450.930655662@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Cong Wang [ Upstream commit dd912306ff008891c82cd9f63e8181e47a9cb2fb ] syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event between bonding master and slave. I managed to find a reproducer for this: ip li set bond0 up ifenslave bond0 eth0 brctl addbr br0 ethtool -K eth0 lro off brctl addif br0 bond0 ip li set br0 up When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave, it captures this and calls bond_compute_features() to fixup its master's and other slaves' features. However, when syncing with its lower devices by netdev_sync_lower_features() this event is triggered again on slaves when the LRO feature fails to change, so it goes back and forth recursively until the kernel stack is exhausted. Commit 17b85d29e82c intentionally lets __netdev_update_features() return -1 for such a failure case, so we have to just rely on the existing check inside netdev_sync_lower_features() and skip NETDEV_FEAT_CHANGE event only for this specific failure case. Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com Cc: Jarod Wilson Cc: Nikolay Aleksandrov Cc: Josh Poimboeuf Cc: Jann Horn Reviewed-by: Jay Vosburgh Signed-off-by: Cong Wang Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/core/dev.c +++ b/net/core/dev.c @@ -6939,11 +6939,13 @@ static void netdev_sync_lower_features(s netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n", &feature, lower->name); lower->wanted_features &= ~feature; - netdev_update_features(lower); + __netdev_update_features(lower); if (unlikely(lower->features & feature)) netdev_WARN(upper, "failed to disable %pNF on %s!\n", &feature, lower->name); + else + netdev_features_change(lower); } } }