Re: [PATCH net-next] net: dev_addr_lists: don't WARN on GFP_ATOMIC kmalloc failure in netif_rx_mode_run

[Zijing yin]

Thank you so much for the feedback! I will address these comments in the 
next version. This is not found by syzbot by the way.

Hope you have a great day!

On 19.05.2026 13:22, Jakub Sitnicki wrote:
> On Tue, May 19, 2026 at 02:55 AM -07, Zijing Yin wrote:
>> netif_rx_mode_run() fires netdev_WARN() when netif_addr_lists_snapshot()
>> returns non-zero. The only path to a non-zero return is -ENOMEM from
>> __hw_addr_create() failing its kmalloc(GFP_ATOMIC) -- syzkaller hits it
>> via failslab, and it can also be reached under real memory pressure.
>>
>> This is the only allocator-failure site in this file that WARNs.
>> __hw_addr_create() itself, and every other caller of it in this file
>> (__hw_addr_add_ex(), dev_uc_add_excl(), dev_uc_add(), dev_mc_add(), ...)
>> just propagate the -ENOMEM silently. GFP_ATOMIC is a may-fail allocator;
>> callers are required to handle NULL, so a returned -ENOMEM here is an
>> expected runtime condition, not an invariant violation.
>>
>> The miss is self-healing: any subsequent change to dev->uc / dev->mc
>> (every dev_{uc,mc}_{add,del}, IFF_PROMISC flip, etc.) calls
>> __dev_set_rx_mode() -> netif_rx_mode_queue(), which re-queues the device
>> and retries the sync. The only cost of a failed attempt is one stale
>> rx-mode window until the next update; nothing in the kernel relies on
>> this attempt succeeding.
>>
>> Demote to net_err_ratelimited() so the condition stays observable in
>> dmesg without tripping panic_on_warn.
>>
>> Reproducer (syzkaller .prog format with setup notes): 
>> https://pastebin.com/t7AQKx9v
>>
>> Fixes: 3554b4345d85 ("net: introduce ndo_set_rx_mode_async and netdev_rx_mode_work")
>> Signed-off-by: Zijing Yin <yzjaurora@xxxxxxxxx>
>> ---
>>  net/core/dev_addr_lists.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
>> index d73fcb0c6..c6fdcac74 100644
>> --- a/net/core/dev_addr_lists.c
>> +++ b/net/core/dev_addr_lists.c
>> @@ -1275,7 +1275,8 @@ static void netif_rx_mode_run(struct net_device *dev)
>>  		err = netif_addr_lists_snapshot(dev, &uc_snap, &mc_snap,
>>  						&uc_ref, &mc_ref);
>>  		if (err) {
>> -			netdev_WARN(dev, "failed to sync uc/mc addresses\n");
>> +			net_err_ratelimited("%s: failed to sync uc/mc addresses\n",
>> +					    netdev_name(dev));
>>  			netif_addr_unlock_bh(dev);
>>  			return;
>>  		}
> 
> 1) I'd go with net_warn_ratelimited() instead. The promoted message
> level in syslog might cause operational pain, and as you say the
> condition is self-healing. Seems unwarranted.
> 
> 2) Since it has a Fixes tag, should probably be sumitted for 'net' tree.
> 
> 3) Was this reported by syzbot? If so, there should also be Reported-by
> and Closes tags.