[syzbot ci] Re: ipmr: No RTNL for RTNL_FAMILY_IPMR rtnetlink.
0 views
Skip to first unread message
syzbot ci
12:00 PM (8 hours ago) 12:00 PM
to da...@davemloft.net, dsa...@kernel.org, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kuni...@gmail.com, kun...@google.com, net...@vger.kernel.org, pab...@redhat.com, syz...@lists.linux.dev, syzkall...@googlegroups.com
syzbot ci has tested the following series
[v1] ipmr: No RTNL for RTNL_FAMILY_IPMR rtnetlink.
https://lore.kernel.org/all/20260226023637....@google.com
* [PATCH v1 net-next 01/15] selftest: net: Add basic functionality tests for ipmr.
* [PATCH v1 net-next 02/15] ipmr: Annotate access to mrt->mroute_do_{pim,assert,wrvifwhole}.
* [PATCH v1 net-next 03/15] ipmr: Convert ipmr_rtm_dumplink() to RCU.
* [PATCH v1 net-next 04/15] ipmr: Use MAXVIFS in mroute_msgsize().
* [PATCH v1 net-next 05/15] ipmr: Convert ipmr_rtm_getroute() to RCU.
* [PATCH v1 net-next 06/15] ipmr: Convert ipmr_rtm_dumproute() to RCU.
* [PATCH v1 net-next 07/15] ipmr: Move unregister_netdevice_many() out of mroute_clean_tables().
* [PATCH v1 net-next 08/15] ipmr: Move unregister_netdevice_many() out of ipmr_free_table().
* [PATCH v1 net-next 09/15] ipmr: Convert ipmr_net_exit_batch() to ->exit_rtnl().
* [PATCH v1 net-next 10/15] ipmr: Remove RTNL in ipmr_rules_init() and ipmr_net_init().
* [PATCH v1 net-next 11/15] ipmr: Call fib_rules_unregister() without RTNL.
* [PATCH v1 net-next 12/15] ipmr: Define net->ipv4.{ipmr_notifier_ops,ipmr_seq} under CONFIG_IP_MROUTE.
* [PATCH v1 net-next 13/15] ipmr/ip6mr: Convert net->ipv[46].ipmr_seq to atomic_t.
* [PATCH v1 net-next 14/15] ipmr: Add dedicated mutex for mrt->{mfc_hash,mfc_cache_list}.
* [PATCH v1 net-next 15/15] ipmr: Don't hold RTNL for ipmr_rtm_route().
and found the following issue:
WARNING in ipmr_free_table
Full report is available here:
https://ci.syzbot.org/series/d7068eba-72b1-4110-aeb0-d4528e03fd24
***
WARNING in ipmr_free_table
tree: net-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base: c7f5c6fb0f2b1a44490a36582a251f0a304d6b0c
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/0afa280b-14ff-4aec-8a20-7f8507025dd8/config
C repro: https://ci.syzbot.org/findings/e38687c7-5a8b-4c68-909c-a0ffdd17a674/c_repro
syz repro: https://ci.syzbot.org/findings/e38687c7-5a8b-4c68-909c-a0ffdd17a674/syz_repro
------------[ cut here ]------------
!net_initialized(net) && !list_empty(dev_kill_list)
WARNING: net/ipv4/ipmr.c:450 at ipmr_free_table+0x150/0x180 net/ipv4/ipmr.c:450, CPU#1: syz.1.18/6004
Modules linked in:
CPU: 1 UID: 0 PID: 6004 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ipmr_free_table+0x150/0x180 net/ipv4/ipmr.c:450
Code: 23 e8 f4 5c 95 f7 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 df 5c 95 f7 90 0f 0b 90 e9 64 ff ff ff e8 d1 5c 95 f7 90 <0f> 0b 90 eb d7 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 03 ff ff ff
RSP: 0018:ffffc900037afa70 EFLAGS: 00010293
RAX: ffffffff8a302fbf RBX: ffffc900037afb60 RCX: ffff888172a70000
RDX: 0000000000000000 RSI: ffffffff8def033c RDI: ffffffff8c27a480
RBP: 0000000000000001 R08: ffffffff901166b7 R09: 1ffffffff2022cd6
R10: dffffc0000000000 R11: fffffbfff2022cd7 R12: ffff88816a392758
R13: dffffc0000000000 R14: ffff8881b8960000 R15: ffff88816a392758
FS: 00007f5a2d24e6c0(0000) GS:ffff8882a9469000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b7544e9d3 CR3: 0000000172316000 CR4: 00000000000006f0
Call Trace:
<TASK>
ipmr_rules_exit_rtnl net/ipv4/ipmr.c:297 [inline]
ipmr_net_exit_rtnl+0x156/0x1a0 net/ipv4/ipmr.c:3339
ops_exit_rtnl_list net/core/net_namespace.c:181 [inline]
ops_undo_list+0x347/0x940 net/core/net_namespace.c:248
setup_net+0x2f0/0x340 net/core/net_namespace.c:462
copy_net_ns+0x50e/0x730 net/core/net_namespace.c:581
create_new_namespaces+0x3e7/0x6a0 kernel/nsproxy.c:130
unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:226
ksys_unshare+0x4f4/0x900 kernel/fork.c:3174
__do_sys_unshare kernel/fork.c:3245 [inline]
__se_sys_unshare kernel/fork.c:3243 [inline]
__x64_sys_unshare+0x38/0x50 kernel/fork.c:3243
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5a2c39c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5a2d24e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f5a2c615fa0 RCX: 00007f5a2c39c629
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006a040000
RBP: 00007f5a2c432b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5a2c616038 R14: 00007f5a2c615fa0 R15: 00007fffb0e41968
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
[v1] ipmr: No RTNL for RTNL_FAMILY_IPMR rtnetlink.
https://lore.kernel.org/all/20260226023637....@google.com
* [PATCH v1 net-next 01/15] selftest: net: Add basic functionality tests for ipmr.
* [PATCH v1 net-next 02/15] ipmr: Annotate access to mrt->mroute_do_{pim,assert,wrvifwhole}.
* [PATCH v1 net-next 03/15] ipmr: Convert ipmr_rtm_dumplink() to RCU.
* [PATCH v1 net-next 04/15] ipmr: Use MAXVIFS in mroute_msgsize().
* [PATCH v1 net-next 05/15] ipmr: Convert ipmr_rtm_getroute() to RCU.
* [PATCH v1 net-next 06/15] ipmr: Convert ipmr_rtm_dumproute() to RCU.
* [PATCH v1 net-next 07/15] ipmr: Move unregister_netdevice_many() out of mroute_clean_tables().
* [PATCH v1 net-next 08/15] ipmr: Move unregister_netdevice_many() out of ipmr_free_table().
* [PATCH v1 net-next 09/15] ipmr: Convert ipmr_net_exit_batch() to ->exit_rtnl().
* [PATCH v1 net-next 10/15] ipmr: Remove RTNL in ipmr_rules_init() and ipmr_net_init().
* [PATCH v1 net-next 11/15] ipmr: Call fib_rules_unregister() without RTNL.
* [PATCH v1 net-next 12/15] ipmr: Define net->ipv4.{ipmr_notifier_ops,ipmr_seq} under CONFIG_IP_MROUTE.
* [PATCH v1 net-next 13/15] ipmr/ip6mr: Convert net->ipv[46].ipmr_seq to atomic_t.
* [PATCH v1 net-next 14/15] ipmr: Add dedicated mutex for mrt->{mfc_hash,mfc_cache_list}.
* [PATCH v1 net-next 15/15] ipmr: Don't hold RTNL for ipmr_rtm_route().
and found the following issue:
WARNING in ipmr_free_table
Full report is available here:
https://ci.syzbot.org/series/d7068eba-72b1-4110-aeb0-d4528e03fd24
***
WARNING in ipmr_free_table
tree: net-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base: c7f5c6fb0f2b1a44490a36582a251f0a304d6b0c
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/0afa280b-14ff-4aec-8a20-7f8507025dd8/config
C repro: https://ci.syzbot.org/findings/e38687c7-5a8b-4c68-909c-a0ffdd17a674/c_repro
syz repro: https://ci.syzbot.org/findings/e38687c7-5a8b-4c68-909c-a0ffdd17a674/syz_repro
------------[ cut here ]------------
!net_initialized(net) && !list_empty(dev_kill_list)
WARNING: net/ipv4/ipmr.c:450 at ipmr_free_table+0x150/0x180 net/ipv4/ipmr.c:450, CPU#1: syz.1.18/6004
Modules linked in:
CPU: 1 UID: 0 PID: 6004 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ipmr_free_table+0x150/0x180 net/ipv4/ipmr.c:450
Code: 23 e8 f4 5c 95 f7 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 df 5c 95 f7 90 0f 0b 90 e9 64 ff ff ff e8 d1 5c 95 f7 90 <0f> 0b 90 eb d7 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 03 ff ff ff
RSP: 0018:ffffc900037afa70 EFLAGS: 00010293
RAX: ffffffff8a302fbf RBX: ffffc900037afb60 RCX: ffff888172a70000
RDX: 0000000000000000 RSI: ffffffff8def033c RDI: ffffffff8c27a480
RBP: 0000000000000001 R08: ffffffff901166b7 R09: 1ffffffff2022cd6
R10: dffffc0000000000 R11: fffffbfff2022cd7 R12: ffff88816a392758
R13: dffffc0000000000 R14: ffff8881b8960000 R15: ffff88816a392758
FS: 00007f5a2d24e6c0(0000) GS:ffff8882a9469000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b7544e9d3 CR3: 0000000172316000 CR4: 00000000000006f0
Call Trace:
<TASK>
ipmr_rules_exit_rtnl net/ipv4/ipmr.c:297 [inline]
ipmr_net_exit_rtnl+0x156/0x1a0 net/ipv4/ipmr.c:3339
ops_exit_rtnl_list net/core/net_namespace.c:181 [inline]
ops_undo_list+0x347/0x940 net/core/net_namespace.c:248
setup_net+0x2f0/0x340 net/core/net_namespace.c:462
copy_net_ns+0x50e/0x730 net/core/net_namespace.c:581
create_new_namespaces+0x3e7/0x6a0 kernel/nsproxy.c:130
unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:226
ksys_unshare+0x4f4/0x900 kernel/fork.c:3174
__do_sys_unshare kernel/fork.c:3245 [inline]
__se_sys_unshare kernel/fork.c:3243 [inline]
__x64_sys_unshare+0x38/0x50 kernel/fork.c:3243
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5a2c39c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5a2d24e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f5a2c615fa0 RCX: 00007f5a2c39c629
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006a040000
RBP: 00007f5a2c432b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5a2c616038 R14: 00007f5a2c615fa0 R15: 00007fffb0e41968
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
Kuniyuki Iwashima
2:15 PM (6 hours ago) 2:15 PM
to syzbot+ci7bf...@syzkaller.appspotmail.com, da...@davemloft.net, dsa...@kernel.org, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kuni...@gmail.com, kun...@google.com, net...@vger.kernel.org, pab...@redhat.com, syz...@lists.linux.dev, syzkall...@googlegroups.com
From: syzbot ci <syzbot+ci7bf...@syzkaller.appspotmail.com>
Date: Thu, 26 Feb 2026 09:00:11 -0800
I forgot dev_kill_list could have some devices collected
from _other_ ->rtnl_exit() _after_ successful ipmr init.
My assumption in patch 10 is still correct, and I'll squash
this in v2.
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 4e645a87dc6c..89e151121cea 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -437,17 +437,19 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
static void ipmr_free_table(struct mr_table *mrt, struct list_head *dev_kill_list)
{
struct net *net = read_pnet(&mrt->net);
+ LIST_HEAD(ipmr_dev_kill_list);
WARN_ON_ONCE(!mr_can_free_table(net));
timer_shutdown_sync(&mrt->ipmr_expire_timer);
mroute_clean_tables(mrt, MRT_FLUSH_VIFS | MRT_FLUSH_VIFS_STATIC |
MRT_FLUSH_MFC | MRT_FLUSH_MFC_STATIC,
- dev_kill_list);
+ &ipmr_dev_kill_list);
rhltable_destroy(&mrt->mfc_hash);
kfree(mrt);
- WARN_ON_ONCE(!net_initialized(net) && !list_empty(dev_kill_list));
+ WARN_ON_ONCE(!net_initialized(net) && !list_empty(&ipmr_dev_kill_list));
+ list_splice(&ipmr_dev_kill_list, dev_kill_list);
}
/* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
Date: Thu, 26 Feb 2026 09:00:11 -0800
from _other_ ->rtnl_exit() _after_ successful ipmr init.
My assumption in patch 10 is still correct, and I'll squash
this in v2.
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 4e645a87dc6c..89e151121cea 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -437,17 +437,19 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
static void ipmr_free_table(struct mr_table *mrt, struct list_head *dev_kill_list)
{
struct net *net = read_pnet(&mrt->net);
+ LIST_HEAD(ipmr_dev_kill_list);
WARN_ON_ONCE(!mr_can_free_table(net));
timer_shutdown_sync(&mrt->ipmr_expire_timer);
mroute_clean_tables(mrt, MRT_FLUSH_VIFS | MRT_FLUSH_VIFS_STATIC |
MRT_FLUSH_MFC | MRT_FLUSH_MFC_STATIC,
- dev_kill_list);
+ &ipmr_dev_kill_list);
rhltable_destroy(&mrt->mfc_hash);
kfree(mrt);
- WARN_ON_ONCE(!net_initialized(net) && !list_empty(dev_kill_list));
+ WARN_ON_ONCE(!net_initialized(net) && !list_empty(&ipmr_dev_kill_list));
+ list_splice(&ipmr_dev_kill_list, dev_kill_list);
}
/* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
Reply all
Reply to author
Forward
0 new messages