• Eric Dumazet's avatar
    rxrpc: bad unlock balance in rxrpc_recvmsg · 6dce3c20
    Eric Dumazet authored
    When either "goto wait_interrupted;" or "goto wait_error;"
    paths are taken, socket lock has already been released.
    
    This patch fixes following syzbot splat :
    
    WARNING: bad unlock balance detected!
    5.0.0-rc4+ #59 Not tainted
    -------------------------------------
    syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at:
    [<ffffffff86651353>] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
    but there are no more locks to release!
    
    other info that might help us debug this:
    1 lock held by syz-executor223/8256:
     #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
     #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798
    
    stack backtrace:
    CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x172/0x1f0 lib/dump_stack.c:113
     print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline]
     print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368
     __lock_release kernel/locking/lockdep.c:3601 [inline]
     lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860
     sock_release_ownership include/net/sock.h:1471 [inline]
     release_sock+0x183/0x1c0 net/core/sock.c:2808
     rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
     sock_recvmsg_nosec net/socket.c:794 [inline]
     sock_recvmsg net/socket.c:801 [inline]
     sock_recvmsg+0xd0/0x110 net/socket.c:797
     __sys_recvfrom+0x1ff/0x350 net/socket.c:1845
     __do_sys_recvfrom net/socket.c:1863 [inline]
     __se_sys_recvfrom net/socket.c:1859 [inline]
     __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859
     do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x446379
    Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
    RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
    R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
    
    Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Cc: David Howells <dhowells@redhat.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    6dce3c20
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
af_rxrpc.c Loading commit data...
ar-internal.h Loading commit data...
call_accept.c Loading commit data...
call_event.c Loading commit data...
call_object.c Loading commit data...
conn_client.c Loading commit data...
conn_event.c Loading commit data...
conn_object.c Loading commit data...
conn_service.c Loading commit data...
input.c Loading commit data...
insecure.c Loading commit data...
key.c Loading commit data...
local_event.c Loading commit data...
local_object.c Loading commit data...
misc.c Loading commit data...
net_ns.c Loading commit data...
output.c Loading commit data...
peer_event.c Loading commit data...
peer_object.c Loading commit data...
proc.c Loading commit data...
protocol.h Loading commit data...
recvmsg.c Loading commit data...
rxkad.c Loading commit data...
security.c Loading commit data...
sendmsg.c Loading commit data...
skbuff.c Loading commit data...
sysctl.c Loading commit data...
utils.c Loading commit data...