[syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 557329bcecc2 Merge tag 'mmc-v6.12-rc3' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14a9f740580000
kernel config: https://syzkaller.appspot.com/x/.config?x=921b01cbfd887a9b
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d76d5f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a9f740580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2b44e0081eb5/disk-557329bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15b6a52c8e11/vmlinux-557329bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab40912bec45/bzImage-557329bc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+985f82...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del_rcu include/linux/rculist.h:157 [inline]
ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:744
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
___sys_sendmsg net/socket.c:2661 [inline]
__sys_sendmsg+0x292/0x380 net/socket.c:2690
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd094c32309
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec50063a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd094c32309
RDX: 0000000004000000 RSI: 0000000020000b00 RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000161b7
R13: 00007ffec50063bc R14: 00007ffec50063d0 R15: 00007ffec50063c0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Lizhi Xu]

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..7a033e0f82d8 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ if (sdata->dev->reg_state == NETREG_REGISTERED)
+ return;
+
mutex_lock(&sdata->local->iflist_mtx);
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

[Lizhi Xu]

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..7a033e0f82d8 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ if (sdata->dev->reg_state == NETREG_UNREGISTERING)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1306dd87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41

dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1422c0c0580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1208cea7980000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11174ea7980000

[Lizhi Xu]

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..57de7ca7954b 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ printk("sd: %p, sdl: %p, dev: %p, %s\n", sdata, sdata->list, sdata->dev, __func__);

+ if (sdata->dev->reg_state == NETREG_UNREGISTERING)
+ return;
+
mutex_lock(&sdata->local->iflist_mtx);
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

@@ -697,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)

mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+ printk("sd: %p, sdl: %p, dev: %p, %s\n", sdata, sdata->list, sdata->dev, __func__);
list_del(&sdata->list);

unregister_netdevice(sdata->dev);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in ieee802154_if_remove

sd: ffff88807ee54cc0, sdl: dead000000000100, dev: dead000000000122,
list_del corruption, ffff88807ee54cc0->next is LIST_POISON1 (dead000000000100)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI

CPU: 1 UID: 0 PID: 6812 Comm: syz.3.18 Not tainted 6.12.0-rc6-syzkaller-00169-g906bd684e4b1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024

RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56

Code: e8 21 8f 00 07 90 0f 0b 48 c7 c7 20 39 60 8c 4c 89 fe e8 0f 8f 00 07 90 0f 0b 48 c7 c7 80 39 60 8c 4c 89 fe e8 fd 8e 00 07 90 <0f> 0b 48 c7 c7 e0 39 60 8c 4c 89 fe e8 eb 8e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc90002f1f3a8 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: 6cee37bacfc70200

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: dffffc0000000000 R08: ffffffff8174a12c R09: fffffbfff1cf9fd0
R10: dffffc0000000000 R11: fffffbfff1cf9fd0 R12: dffffc0000000000
R13: ffff88807ee54cc0 R14: dead000000000100 R15: ffff88807ee54cc0
FS: 00007fe011db66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffcd5e5db08 CR3: 00000000223b6000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del_rcu include/linux/rculist.h:157 [inline]

ieee802154_if_remove+0x175/0x2e0 net/mac802154/iface.c:691

rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:744
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
___sys_sendmsg net/socket.c:2661 [inline]
__sys_sendmsg+0x292/0x380 net/socket.c:2690
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe010f7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe011db6038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fe011135f80 RCX: 00007fe010f7e719
RDX: 0000000004000000 RSI: 0000000020000b00 RDI: 0000000000000005
RBP: 00007fe010ff139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe011135f80 R15: 00007fff11a4f838

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56

Code: e8 21 8f 00 07 90 0f 0b 48 c7 c7 20 39 60 8c 4c 89 fe e8 0f 8f 00 07 90 0f 0b 48 c7 c7 80 39 60 8c 4c 89 fe e8 fd 8e 00 07 90 <0f> 0b 48 c7 c7 e0 39 60 8c 4c 89 fe e8 eb 8e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc90002f1f3a8 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: 6cee37bacfc70200

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: dffffc0000000000 R08: ffffffff8174a12c R09: fffffbfff1cf9fd0
R10: dffffc0000000000 R11: fffffbfff1cf9fd0 R12: dffffc0000000000
R13: ffff88807ee54cc0 R14: dead000000000100 R15: ffff88807ee54cc0
FS: 00007fe011db66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffcd5e5db08 CR3: 00000000223b6000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=13b9c0c0580000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f4cea7980000

[Lizhi Xu]

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..6771c0569516 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -101,6 +101,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_LISTDONE,
};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..95f11d377fd3 100644

--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ printk("sd: %p, sdl: %p, dev: %p, l: %p, if remove\n", sdata, sdata->list, sdata->dev, sdata->local);
+ if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))

+ return;
+
mutex_lock(&sdata->local->iflist_mtx);
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

@@ -697,7 +701,9 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)

mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {

+ printk("sd: %p, sdl: %p, dev: %p, l: %p, rmv interfaces\n", sdata, sdata->list, sdata->dev, sdata->local);
list_del(&sdata->list);
+ set_bit(SDATA_STATE_LISTDONE, &sdata->state);

unregister_netdevice(sdata->dev);
}
diff --git a/net/mac802154/main.c b/net/mac802154/main.c
index 21b7c3b280b4..81289719584e 100644
--- a/net/mac802154/main.c
+++ b/net/mac802154/main.c
@@ -279,6 +279,7 @@ void ieee802154_unregister_hw(struct ieee802154_hw *hw)

rtnl_lock();

+ printk("l: %p unreg hw\n", local);
ieee802154_remove_interfaces(local);

rtnl_unlock();

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1641cea7980000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16a1ee30580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: BUG: corrupted list in ieee802154_if_remove
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 906bd684e4b1e517dd424a354744c5b0aebef8af

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..7afcea3447c1 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -40,9 +40,8 @@ struct ieee802154_local {
int open_count;

/* As in mac80211 slaves list is modified:
- * 1) under the RTNL
- * 2) protected by slaves_mtx;
- * 3) in an RCU manner
+ * 1) under the RTNL;
+ * 2) protected by iflist_mtx.
*
* So atomic readers can use any of this protection methods.
*/
@@ -101,6 +100,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_REMOVED,

};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..700c80e94bb2 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -669,7 +669,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
goto err;

mutex_lock(&local->iflist_mtx);
- list_add_tail_rcu(&sdata->list, &local->interfaces);
+ list_add_tail(&sdata->list, &local->interfaces);
mutex_unlock(&local->iflist_mtx);

return ndev;
@@ -683,11 +683,13 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ if (test_and_set_bit(SDATA_STATE_REMOVED, &sdata->state))

+ return;
+
mutex_lock(&sdata->local->iflist_mtx);

- list_del_rcu(&sdata->list);
+ list_del(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

- synchronize_rcu();
unregister_netdevice(sdata->dev);
}

@@ -697,6 +699,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)

mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {

+ if (test_and_set_bit(SDATA_STATE_REMOVED, &sdata->state))
+ continue;
list_del(&sdata->list);

unregister_netdevice(sdata->dev);
--
2.47.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=105020c0580000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=158c835f980000

[Lizhi Xu]

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0 CPU1
==== ====
genl_family_rcv_msg_doit ieee802154_unregister_hw
ieee802154_del_iface ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

Avoid this issue, by adding slave data state bit SDATA_STATE_LISTDONE, set
SDATA_STATE_LISTDONE when unregistering the hardware from the system, and
add state bit SDATA_STATE_LISTDONE judgment before removing the interface
to delete the list.

[1]

Reported-and-tested-by: syzbot+985f82...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
net/mac802154/ieee802154_i.h | 1 +
net/mac802154/iface.c | 4 ++++
2 files changed, 5 insertions(+)

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..6771c0569516 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -101,6 +101,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_LISTDONE,

};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..aed2fc63395d 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,9 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))

+ return;
+
mutex_lock(&sdata->local->iflist_mtx);

list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

@@ -698,6 +701,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)

mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {

list_del(&sdata->list);
+ set_bit(SDATA_STATE_LISTDONE, &sdata->state);

unregister_netdevice(sdata->dev);
}

--
2.43.0

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: BUG: corrupted list in ieee802154_if_remove
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 906bd684e4b1e517dd424a354744c5b0aebef8af

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..52c8ea7f1da0 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -41,13 +41,11 @@ struct ieee802154_local {

/* As in mac80211 slaves list is modified:

* 1) under the RTNL
- * 2) protected by slaves_mtx;

* 3) in an RCU manner

*
* So atomic readers can use any of this protection methods.
*/

struct list_head interfaces;
- struct mutex iflist_mtx;

/* Data related workqueue */
struct workqueue_struct *workqueue;
@@ -101,6 +99,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_REMOVING,

};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..f108c46122e3 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -668,9 +668,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
if (ret < 0)
goto err;

- mutex_lock(&local->iflist_mtx);
list_add_tail_rcu(&sdata->list, &local->interfaces);
- mutex_unlock(&local->iflist_mtx);

return ndev;

@@ -683,25 +681,32 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

- mutex_lock(&sdata->local->iflist_mtx);
- list_del_rcu(&sdata->list);
- mutex_unlock(&sdata->local->iflist_mtx);
-
- synchronize_rcu();
- unregister_netdevice(sdata->dev);
+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state)) {
+ list_del_rcu(&sdata->list);
+ synchronize_rcu();
+ unregister_netdevice(sdata->dev);
+ }
}

+#define list_for_each_rcu_safe(pos, n, head) \
+ for (pos = rcu_dereference((head)->next), n = pos->next; \
+ !list_is_head(pos, (head)); \
+ pos = n, n = rcu_dereference(pos->next))
+
void ieee802154_remove_interfaces(struct ieee802154_local *local)
{
- struct ieee802154_sub_if_data *sdata, *tmp;
+ struct list_head *entry, *tmp;

- mutex_lock(&local->iflist_mtx);
- list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);
+ list_for_each_rcu_safe(entry, tmp, &local->interfaces) {
+ struct ieee802154_sub_if_data *sdata =
+ container_of(entry, struct ieee802154_sub_if_data, list);

- unregister_netdevice(sdata->dev);
+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state)) {
+ list_del_rcu(&sdata->list);
+ synchronize_rcu();
+ unregister_netdevice(sdata->dev);
+ }
}
- mutex_unlock(&local->iflist_mtx);
}

static int netdev_notify(struct notifier_block *nb,
diff --git a/net/mac802154/main.c b/net/mac802154/main.c
index 21b7c3b280b4..61b6c5e06177 100644
--- a/net/mac802154/main.c
+++ b/net/mac802154/main.c
@@ -91,7 +91,6 @@ ieee802154_alloc_hw(size_t priv_data_len, const struct ieee802154_ops *ops)
INIT_LIST_HEAD(&local->interfaces);
INIT_LIST_HEAD(&local->rx_beacon_list);
INIT_LIST_HEAD(&local->rx_mac_cmd_list);
- mutex_init(&local->iflist_mtx);

tasklet_setup(&local->tasklet, ieee802154_tasklet_handler);

@@ -174,8 +173,6 @@ void ieee802154_free_hw(struct ieee802154_hw *hw)

BUG_ON(!list_empty(&local->interfaces));

- mutex_destroy(&local->iflist_mtx);
-
wpan_phy_free(local->phy);
}
EXPORT_SYMBOL(ieee802154_free_hw);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING: suspicious RCU usage in ieee802154_remove_interfaces

usb 2-1: Please update to version 0.2 or newer
usb 2-1: USB disconnect, device number 2
=============================
WARNING: suspicious RCU usage
6.12.0-rc6-syzkaller-00169-g906bd684e4b1-dirty #0 Not tainted
-----------------------------
net/mac802154/iface.c:700 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
6 locks held by kworker/1:5/5934:
#0: ffff888144284548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888144284548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc900042f7d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc900042f7d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff888145704190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145704190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1fe/0x5150 drivers/usb/core/hub.c:5849
#3: ffff888077b13190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888077b13190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x103/0x950 drivers/usb/core/hub.c:2295
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
#5: ffffffff8fcc1408 (rtnl_mutex){+.+.}-{3:3}, at: ieee802154_unregister_hw+0x54/0xd0 net/mac802154/main.c:277

stack backtrace:
CPU: 1 UID: 0 PID: 5934 Comm: kworker/1:5 Not tainted 6.12.0-rc6-syzkaller-00169-g906bd684e4b1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
lockdep_rcu_suspicious+0x226/0x340 kernel/locking/lockdep.c:6821
ieee802154_remove_interfaces+0x2e8/0x2f0 net/mac802154/iface.c:700
ieee802154_unregister_hw+0x5c/0xd0 net/mac802154/main.c:279
atusb_disconnect+0x152/0x260 drivers/net/ieee802154/atusb.c:1077
usb_unbind_interface+0x25e/0x940 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x503/0x7c0 drivers/base/dd.c:1296
bus_remove_device+0x34f/0x420 drivers/base/bus.c:576
device_del+0x57a/0x9b0 drivers/base/core.c:3861
usb_disable_device+0x3bf/0x850 drivers/usb/core/message.c:1418
usb_disconnect+0x340/0x950 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1ebc/0x5150 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

=============================
WARNING: suspicious RCU usage
6.12.0-rc6-syzkaller-00169-g906bd684e4b1-dirty #0 Not tainted
-----------------------------
net/mac802154/iface.c:700 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
6 locks held by kworker/1:5/5934:
#0: ffff888144284548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888144284548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc900042f7d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc900042f7d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff888145704190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145704190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1fe/0x5150 drivers/usb/core/hub.c:5849
#3: ffff888077b13190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888077b13190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x103/0x950 drivers/usb/core/hub.c:2295
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888022f63160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
#5: ffffffff8fcc1408 (rtnl_mutex){+.+.}-{3:3}, at: ieee802154_unregister_hw+0x54/0xd0 net/mac802154/main.c:277

stack backtrace:
CPU: 1 UID: 0 PID: 5934 Comm: kworker/1:5 Not tainted 6.12.0-rc6-syzkaller-00169-g906bd684e4b1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
lockdep_rcu_suspicious+0x226/0x340 kernel/locking/lockdep.c:6821
ieee802154_remove_interfaces+0x272/0x2f0 net/mac802154/iface.c:700
ieee802154_unregister_hw+0x5c/0xd0 net/mac802154/main.c:279
atusb_disconnect+0x152/0x260 drivers/net/ieee802154/atusb.c:1077
usb_unbind_interface+0x25e/0x940 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x503/0x7c0 drivers/base/dd.c:1296
bus_remove_device+0x34f/0x420 drivers/base/bus.c:576
device_del+0x57a/0x9b0 drivers/base/core.c:3861
usb_disable_device+0x3bf/0x850 drivers/usb/core/message.c:1418
usb_disconnect+0x340/0x950 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1ebc/0x5150 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
usb 2-1: new high-speed USB device number 3 using dummy_hcd
usb 2-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a
usb 2-1: New USB device strings: Mfr=210, Product=154, SerialNumber=3
usb 2-1: Product: syz
usb 2-1: Manufacturer: syz
usb 2-1: SerialNumber: syz
usb 2-1: config 0 descriptor??
usb 2-1: Firmware version (0.0) predates our first public release.
usb 2-1: Please update to version 0.2 or newer
usb 2-1: USB disconnect, device number 3
usb 4-1: new high-speed USB device number 5 using dummy_hcd
usb 4-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a
usb 4-1: New USB device strings: Mfr=210, Product=154, SerialNumber=3
usb 4-1: Product: syz
usb 4-1: Manufacturer: syz
usb 4-1: SerialNumber: syz
usb 4-1: config 0 descriptor??
usb 4-1: Firmware version (0.0) predates our first public release.
usb 4-1: Please update to version 0.2 or newer
usb 4-1: USB disconnect, device number 5
usb 4-1: new high-speed USB device number 6 using dummy_hcd
usb 4-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a
usb 4-1: New USB device strings: Mfr=210, Product=154, SerialNumber=3
usb 4-1: Product: syz
usb 4-1: Manufacturer: syz
usb 4-1: SerialNumber: syz
usb 4-1: config 0 descriptor??
usb 4-1: Firmware version (0.0) predates our first public release.
usb 4-1: Please update to version 0.2 or newer
usb 4-1: USB disconnect, device number 6
usb 5-1: new high-speed USB device number 8 using dummy_hcd
usb 5-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a
usb 5-1: New USB device strings: Mfr=210, Product=154, SerialNumber=3
usb 5-1: Product: syz
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
usb 5-1: Firmware version (0.0) predates our first public release.
usb 5-1: Please update to version 0.2 or newer
usb 5-1: USB disconnect, device number 8

Tested on:

commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17c42ea7980000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16d5835f980000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: BUG: corrupted list in ieee802154_if_remove()
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git da4373fbcf006deda90e5e6a87c499e0ff747572

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..52c8ea7f1da0 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -41,13 +41,11 @@ struct ieee802154_local {

/* As in mac80211 slaves list is modified:
* 1) under the RTNL
- * 2) protected by slaves_mtx;
* 3) in an RCU manner
*
* So atomic readers can use any of this protection methods.
*/
struct list_head interfaces;
- struct mutex iflist_mtx;

/* Data related workqueue */
struct workqueue_struct *workqueue;
@@ -101,6 +99,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_REMOVING,
};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..f4cbd5a8bb4e 100644

--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -668,9 +668,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
if (ret < 0)
goto err;

- mutex_lock(&local->iflist_mtx);
list_add_tail_rcu(&sdata->list, &local->interfaces);
- mutex_unlock(&local->iflist_mtx);

return ndev;

@@ -683,25 +681,37 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)

{
ASSERT_RTNL();

- mutex_lock(&sdata->local->iflist_mtx);
- list_del_rcu(&sdata->list);
- mutex_unlock(&sdata->local->iflist_mtx);
-
- synchronize_rcu();
- unregister_netdevice(sdata->dev);
+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state)) {
+ list_del_rcu(&sdata->list);

+ unregister_netdevice(sdata->dev);
+ }
}

+#define list_for_each_rcu_safe(pos, n, head) \
+ for (pos = rcu_dereference((head)->next), n = pos->next; \
+ !list_is_head(pos, (head)); \
+ pos = n, n = rcu_dereference(pos->next))
+
void ieee802154_remove_interfaces(struct ieee802154_local *local)
{
- struct ieee802154_sub_if_data *sdata, *tmp;

+ struct ieee802154_sub_if_data *sdata;

+ struct list_head *entry, *tmp;

+ LIST_HEAD(head);
+
+ rcu_read_lock();
+

+ list_for_each_rcu_safe(entry, tmp, &local->interfaces) {

+ sdata = container_of(entry, struct ieee802154_sub_if_data, list);

+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state))

+ list_move(&sdata->list, &head);
+ }

- mutex_lock(&local->iflist_mtx);
- list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);

+ rcu_read_unlock();

+ list_for_each_safe(entry, tmp, &head) {
+ sdata = container_of(entry, struct ieee802154_sub_if_data, list);
unregister_netdevice(sdata->dev);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: da4373fb Merge tag 'thermal-6.12-rc7' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16a3a0c0580000

kernel config: https://syzkaller.appspot.com/x/.config?x=347f0ef7656eeb41
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=162aaea7980000

[Miquel Raynal]

Hello,

On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizh...@windriver.com> wrote:

> syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>
> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> hardware device from the system.
>
> CPU0 CPU1
> ==== ====
> genl_family_rcv_msg_doit ieee802154_unregister_hw
> ieee802154_del_iface ieee802154_remove_interfaces
> rdev_del_virtual_intf_deprecated list_del(&sdata->list)
> ieee802154_if_remove
> list_del_rcu

FYI this is a "duplicate" but with a different approach than:
https://lore.kernel.org/linux-wpan/87v7wtp...@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077

Thanks,
Miquèl

[Lizhi Xu]

On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizh...@windriver.com> wrote:
>
> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
> >
> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> > hardware device from the system.
> >
> > CPU0 CPU1
> > ==== ====
> > genl_family_rcv_msg_doit ieee802154_unregister_hw
> > ieee802154_del_iface ieee802154_remove_interfaces
> > rdev_del_virtual_intf_deprecated list_del(&sdata->list)
> > ieee802154_if_remove
> > list_del_rcu
>
> FYI this is a "duplicate" but with a different approach than:
> https://lore.kernel.org/linux-wpan/87v7wtp...@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077

No, my patch was the first to fix it, someone else copied my patch. Here is my patch:

From: syzbot <syzbot+985f82...@syzkaller.appspotmail.com>
To: linux-...@vger.kernel.org
Subject: Re: [syzbot] Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
Date: Fri, 08 Nov 2024 03:24:46 -0800 [thread overview]
Message-ID: <672df4fe.050a022...@google.com> (raw)
In-Reply-To: <672b9f03.050a022...@google.com>

For archival purposes, forwarding an incoming command email to

linux-...@vger.kernel.org.

***

Subject: Re: [syzbot] [wpan?] [usb?] BUG: corrupted list in ieee802154_if_remove
Author: lizh...@windriver.com

net device has been unregistered ?

#syz test

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..6771c0569516 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h
@@ -101,6 +101,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_LISTDONE,
};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..95f11d377fd3 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -683,6 +683,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

+ printk("sd: %p, sdl: %p, dev: %p, l: %p, if remove\n", sdata, sdata->list, sdata->dev, sdata->local);

+ if (test_bit(SDATA_STATE_LISTDONE, &sdata->state))
+ return;
+
mutex_lock(&sdata->local->iflist_mtx);
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

@@ -697,7 +701,9 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)

mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {

+ printk("sd: %p, sdl: %p, dev: %p, l: %p, rmv interfaces\n", sdata, sdata->list, sdata->dev, sdata->local);

list_del(&sdata->list);
+ set_bit(SDATA_STATE_LISTDONE, &sdata->state);

unregister_netdevice(sdata->dev);
}

diff --git a/net/mac802154/main.c b/net/mac802154/main.c
index 21b7c3b280b4..81289719584e 100644
--- a/net/mac802154/main.c
+++ b/net/mac802154/main.c

@@ -279,6 +279,7 @@ void ieee802154_unregister_hw(struct ieee802154_hw *hw)

rtnl_lock();

+ printk("l: %p unreg hw\n", local);
ieee802154_remove_interfaces(local);

rtnl_unlock();

>

BR,
Lizhi

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 2d5404ca Linux 6.12-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1608335f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=1503500c6f615d24

dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=109ed35f980000

[syzbot]

For archival purposes, forwarding an incoming command email to

linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: BUG: corrupted list in ieee802154_if_remove()
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 2d5404caa8c7bb5c4e0435f94b28834ae5456623

diff --git a/net/mac802154/ieee802154_i.h b/net/mac802154/ieee802154_i.h
index 08dd521a51a5..52c8ea7f1da0 100644
--- a/net/mac802154/ieee802154_i.h
+++ b/net/mac802154/ieee802154_i.h

@@ -41,13 +41,11 @@ struct ieee802154_local {

/* As in mac80211 slaves list is modified:
* 1) under the RTNL
- * 2) protected by slaves_mtx;
* 3) in an RCU manner
*
* So atomic readers can use any of this protection methods.
*/
struct list_head interfaces;
- struct mutex iflist_mtx;

/* Data related workqueue */
struct workqueue_struct *workqueue;

@@ -101,6 +99,7 @@ enum {

enum ieee802154_sdata_state_bits {
SDATA_STATE_RUNNING,
+ SDATA_STATE_REMOVING,

};

/* Slave interface definition.
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..619f06bf9931 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c

@@ -668,9 +668,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
if (ret < 0)
goto err;

- mutex_lock(&local->iflist_mtx);
list_add_tail_rcu(&sdata->list, &local->interfaces);
- mutex_unlock(&local->iflist_mtx);

return ndev;

@@ -683,25 +681,21 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
{
ASSERT_RTNL();

- mutex_lock(&sdata->local->iflist_mtx);
- list_del_rcu(&sdata->list);
- mutex_unlock(&sdata->local->iflist_mtx);
-
- synchronize_rcu();
- unregister_netdevice(sdata->dev);
+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state)) {
+ list_del_rcu(&sdata->list);
+ unregister_netdevice(sdata->dev);
+ }
}

void ieee802154_remove_interfaces(struct ieee802154_local *local)
{
struct ieee802154_sub_if_data *sdata, *tmp;

- mutex_lock(&local->iflist_mtx);
- list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);
-
- unregister_netdevice(sdata->dev);
- }
- mutex_unlock(&local->iflist_mtx);
+ list_for_each_entry_safe(sdata, tmp, &local->interfaces, list)

+ if (!test_and_set_bit(SDATA_STATE_REMOVING, &sdata->state)) {
+ list_del_rcu(&sdata->list);
+ unregister_netdevice(sdata->dev);
+ }
}

static int netdev_notify(struct notifier_block *nb,

diff --git a/net/mac802154/main.c b/net/mac802154/main.c
index 21b7c3b280b4..61b6c5e06177 100644
--- a/net/mac802154/main.c
+++ b/net/mac802154/main.c

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 2d5404ca Linux 6.12-rc7

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=134afea7980000

kernel config: https://syzkaller.appspot.com/x/.config?x=1503500c6f615d24
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17b1f4e8580000

[Miquel Raynal]

On 12/11/2024 at 08:21:33 +08, Lizhi Xu <lizh...@windriver.com> wrote:

> On Mon, 11 Nov 2024 20:46:57 +0100, Miquel Raynal wrote:
>> On 08/11/2024 at 22:54:20 +08, Lizhi Xu <lizh...@windriver.com> wrote:
>>
>> > syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>> >
>> > Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
>> > hardware device from the system.
>> >
>> > CPU0 CPU1
>> > ==== ====
>> > genl_family_rcv_msg_doit ieee802154_unregister_hw
>> > ieee802154_del_iface ieee802154_remove_interfaces
>> > rdev_del_virtual_intf_deprecated list_del(&sdata->list)
>> > ieee802154_if_remove
>> > list_del_rcu
>>
>> FYI this is a "duplicate" but with a different approach than:
>> https://lore.kernel.org/linux-wpan/87v7wtp...@bootlin.com/T/#m02cebe86ec0171fc4d3350676bbdd4a7e3827077
> No, my patch was the first to fix it, someone else copied my
> patch. Here is my patch:

Ok, so same question as to the other contributor, why not enclosing the
remaining list_del_rcu() within mutex protection? Can we avoid the
creation of the LISTDONE state bit?

Thanks,
Miquèl

[Lizhi Xu]

net device has been unregistered, since the rcu grace period it must be run before ieee802154_if_remove

#syz test

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..6f24f1760969 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -684,7 +684,8 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
ASSERT_RTNL();

mutex_lock(&sdata->local->iflist_mtx);
- list_del_rcu(&sdata->list);

+ if (!list_empty(&sdata->local->interfaces))
+ list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

synchronize_rcu();

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

kernel BUG in ieee802154_del_iface

------------[ cut here ]------------
kernel BUG at net/core/dev.c:11375!

Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI

CPU: 1 UID: 0 PID: 7336 Comm: syz.4.73 Not tainted 6.12.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:unregister_netdevice_many_notify+0x1d84/0x1da0 net/core/dev.c:11375
Code: 01 90 48 c7 c7 80 fe 0c 8d 48 c7 c6 60 fe 0c 8d ba 8b 17 00 00 e8 8c 47 c8 f7 90 0f 0b 90 90 e9 67 e8 ff ff e8 9d 51 07 f8 90 <0f> 0b e8 95 51 07 f8 90 0f 0b e8 dd 5e 31 02 66 2e 0f 1f 84 00 00
RSP: 0018:ffffc90004607160 EFLAGS: 00010293
RAX: ffffffff898d8813 RBX: 0000000000000002 RCX: ffff88802c1e5a00
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffffc90004607350 R08: ffffffff898d6ca6 R09: 1ffffffff1f98274
R10: dffffc0000000000 R11: fffffbfff1f98275 R12: dead000000000100
R13: ffff888028cf06c1 R14: ffffc900046073a0 R15: 1ffff1100519e031
FS: 00007fc796c396c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005587e87f1950 CR3: 0000000033264000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

unregister_netdevice_many net/core/dev.c:11469 [inline]
unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11343

rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:744
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
___sys_sendmsg net/socket.c:2661 [inline]
__sys_sendmsg+0x292/0x380 net/socket.c:2690
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc795d7e719

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc796c39038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc795f35f80 RCX: 00007fc795d7e719

RDX: 0000000004000000 RSI: 0000000020000b00 RDI: 0000000000000005

RBP: 00007fc795df139e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fc795f35f80 R15: 00007ffe0c919b58

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:unregister_netdevice_many_notify+0x1d84/0x1da0 net/core/dev.c:11375
Code: 01 90 48 c7 c7 80 fe 0c 8d 48 c7 c6 60 fe 0c 8d ba 8b 17 00 00 e8 8c 47 c8 f7 90 0f 0b 90 90 e9 67 e8 ff ff e8 9d 51 07 f8 90 <0f> 0b e8 95 51 07 f8 90 0f 0b e8 dd 5e 31 02 66 2e 0f 1f 84 00 00
RSP: 0018:ffffc90004607160 EFLAGS: 00010293
RAX: ffffffff898d8813 RBX: 0000000000000002 RCX: ffff88802c1e5a00
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffffc90004607350 R08: ffffffff898d6ca6 R09: 1ffffffff1f98274
R10: dffffc0000000000 R11: fffffbfff1f98275 R12: dead000000000100
R13: ffff888028cf06c1 R14: ffffc900046073a0 R15: 1ffff1100519e031
FS: 00007fc796c396c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f392374d440 CR3: 0000000033264000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 2d5404ca Linux 6.12-rc7

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14e7fe30580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1503500c6f615d24
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15f001a7980000

[Lizhi Xu]

net device has been unregistered, since the rcu grace period it must be run before ieee802154_if_remove

#syz test

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c

index c0e2da5072be..9e4631fade90 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -684,6 +684,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
ASSERT_RTNL();

mutex_lock(&sdata->local->iflist_mtx);
+ if (list_empty(&sdata->local->interfaces)) {
+ mutex_unlock(&sdata->local->iflist_mtx);
+ return;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+985f82...@syzkaller.appspotmail.com
Tested-by: syzbot+985f82...@syzkaller.appspotmail.com

Tested on:

commit: 2d5404ca Linux 6.12-rc7
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1298f8c0580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1503500c6f615d24
dashboard link: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1130f8c0580000

[Lizhi Xu]

From the analysis of the list itself, we can not rely on the newly added state bit.
The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

Following is my V2 patch, it has been tested and works well.

From: Lizhi Xu <lizh...@windriver.com>
Date: Tue, 12 Nov 2024 20:59:34 +0800
Subject: [PATCH V2] mac802154: check local interfaces before deleting sdata list

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0 CPU1
==== ====
genl_family_rcv_msg_doit ieee802154_unregister_hw
ieee802154_del_iface ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

To avoid this issue, add a check for local->interfaces before deleting
sdata list.

[1]
kernel BUG at lib/list_debug.c:58!

Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI

CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0

FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del_rcu include/linux/rculist.h:157 [inline]
ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687

rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:744
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
___sys_sendmsg net/socket.c:2661 [inline]
__sys_sendmsg+0x292/0x380 net/socket.c:2690
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-and-tested-by: syzbot+985f82...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---

V1 -> V2: remove state bit and add a check for local interfaces before
deleting sdata list

net/mac802154/iface.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index c0e2da5072be..9e4631fade90 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -684,6 +684,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata)
ASSERT_RTNL();

mutex_lock(&sdata->local->iflist_mtx);
+ if (list_empty(&sdata->local->interfaces)) {
+ mutex_unlock(&sdata->local->iflist_mtx);
+ return;
+ }
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);

--
2.43.0

[Miquel Raynal]

Please send a proper v2, not an inline v2.

However the new approach looks better to me, so you can add my

Reviewed-by: Miquel Raynal <miquel...@bootlin.com>

Thanks,
Miquèl

[Lizhi Xu]

syzkaller reported a corrupted list in ieee802154_if_remove. [1]

Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
hardware device from the system.

CPU0 CPU1
==== ====
genl_family_rcv_msg_doit ieee802154_unregister_hw
ieee802154_del_iface ieee802154_remove_interfaces
rdev_del_virtual_intf_deprecated list_del(&sdata->list)
ieee802154_if_remove
list_del_rcu

The net device has been unregistered, since the rcu grace period,
unregistration must be run before ieee802154_if_remove.

Reviewed-by: Miquel Raynal <miquel...@bootlin.com>

[Dmitry Antipov]

On 11/12/24 4:41 PM, Lizhi Xu wrote:

> mutex_lock(&sdata->local->iflist_mtx);
> + if (list_empty(&sdata->local->interfaces)) {
> + mutex_unlock(&sdata->local->iflist_mtx);
> + return;
> + }
> list_del_rcu(&sdata->list);
> mutex_unlock(&sdata->local->iflist_mtx);

Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
attempt to connect the only device. How this is expected to work if there are
more than one device?

Dmitry

[Miquel Raynal]

Isn't sdata already specific enough? What do you mean by "device"?

Thanks,
Miquèl

[Dmitry Antipov]

On 11/13/24 1:58 PM, Miquel Raynal wrote:

>> Note https://syzkaller.appspot.com/text?tag=ReproC&x=12a9f740580000 makes an
>> attempt to connect the only device. How this is expected to work if there are
>> more than one device?
>
> Isn't sdata already specific enough? What do you mean by "device"?

Well, syzbot's reproducer triggers this issue via USB Raw Gadget API. IIUC this
is a debugging feature and it is possible to have the only raw gadget device.
So when running syzbot's reproducer, 'list_count_nodes(&sdata->local->interfaces)'
is always <= 1. But how this is expected to work for >1 case?

Dmitry

[Lizhi Xu]

There are two locks (rtnl and iflist_mtx) to protection and synchronization
local->interfaces, so no need to worry about multiple devices.

Lizhi

[Lizhi Xu]

In other words, this case is a race between removing the 802154 master
and the user sendmsg actively deleting the slave.
Then when the master is removed, there is no need to execute the latter to
remove the slave, because all the slave devices have been deleted when the
master device is removed..

Lizhi

[Stefan Schmidt]

Hello Lizhi Xu.

On Wed, 13 Nov 2024 17:51:29 +0800, Lizhi Xu wrote:
> syzkaller reported a corrupted list in ieee802154_if_remove. [1]
>
> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
> hardware device from the system.
>
> CPU0 CPU1
> ==== ====
> genl_family_rcv_msg_doit ieee802154_unregister_hw
> ieee802154_del_iface ieee802154_remove_interfaces
> rdev_del_virtual_intf_deprecated list_del(&sdata->list)
> ieee802154_if_remove
> list_del_rcu
>

> [...]

Applied to wpan/wpan.git, thanks!

[1/1] mac802154: check local interfaces before deleting sdata list
https://git.kernel.org/wpan/wpan/c/eb09fbeb4870

regards,
Stefan Schmidt