INFO: task hung in rtnetlink_rcv
13 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:28:23 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 286f9710 Merge 4.9.168 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1147729f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=416e7ad1468db859
dashboard link: https://syzkaller.appspot.com/bug?extid=6e19e2b1b7efd2e94d5a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1644745b200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6e19e2...@syzkaller.appspotmail.com
audit: type=1400 audit(1554981473.565:5): avc: denied { associate } for
pid=2174 comm="syz-executor.5" name="syz5"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
INFO: task syz-executor.3:2166 blocked for more than 140 seconds.
Not tainted 4.9.168+ #39
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3 D25016 2166 1 0x00000004
ffff8801cc538000 ffff8801d425dd80 ffff8801db721000 ffff8801d40c8000
ffff8801db721018 ffff8801d4a0f9b8 ffffffff8280028e ffff8801cc5388c8
ffff8801cc5388a0 00ff8801cc5388d0 ffff8801db7218f0 1ffff1003a941f26
Call Trace:
[<00000000ac3078e1>] schedule+0x92/0x1c0 kernel/sched/core.c:3546
[<000000004b3f9b38>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3579
[<0000000021dd537a>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<0000000021dd537a>] mutex_lock_nested+0x38d/0x920
kernel/locking/mutex.c:621
[<00000000e039a886>] rtnl_lock net/core/rtnetlink.c:70 [inline]
[<00000000e039a886>] rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
[<00000000313b5024>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<00000000313b5024>] netlink_unicast+0x4c6/0x6d0
net/netlink/af_netlink.c:1311
[<000000001984b03c>] netlink_sendmsg+0x6b6/0xc80
net/netlink/af_netlink.c:1859
[<000000008e890726>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<000000008e890726>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<0000000069d44983>] SYSC_sendto net/socket.c:1684 [inline]
[<0000000069d44983>] SyS_sendto+0x201/0x340 net/socket.c:1652
[<000000000e4bfb70>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<000000001dd370a3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<000000006b1552fa>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<000000006b1552fa>]
watchdog+0x13c/0xae0 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<000000006fc3c96a>]
debug_show_all_locks+0x7f/0x21f kernel/locking/lockdep.c:4339
2 locks held by getty/2016:
#0: (&tty->ldisc_sem){++++++}, at: [<000000005423bdb8>]
ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:377
#1: (&ldata->atomic_read_lock){+.+...}, at: [<0000000012ec4b74>]
n_tty_read+0x1fe/0x1820 drivers/tty/n_tty.c:2156
1 lock held by syz-executor.3/2166:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.0/2169:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.4/2175:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
3 locks held by kworker/1:2/2505:
#0: ("%s"("ipv6_addrconf")){.+.+..}, at: [<00000000025a9415>]
process_one_work+0x790/0x1600 kernel/workqueue.c:2107
#1: ((addr_chk_work).work){+.+...}, at: [<00000000873bbd45>]
process_one_work+0x7ce/0x1600 kernel/workqueue.c:2111
#2: (rtnl_mutex){+.+.+.}, at: [<00000000d38904f1>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
1 lock held by syz-executor.1/3063:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3052:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3060:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3065:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3059:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3061:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3067:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.168+ #39
ffff8801d98d7cc8 ffffffff81b4f5d1 0000000000000000 0000000000000000
0000000000000000 ffffffff81097401 dffffc0000000000 ffff8801d98d7d00
ffffffff81b5a86c 0000000000000000 0000000000000000 0000000000000000
Call Trace:
[<0000000014e53332>] __dump_stack lib/dump_stack.c:15 [inline]
[<0000000014e53332>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<00000000d65eb0a7>] nmi_cpu_backtrace.cold+0x47/0x87
lib/nmi_backtrace.c:99
[<00000000eb216681>] nmi_trigger_cpumask_backtrace+0x124/0x155
lib/nmi_backtrace.c:60
[<00000000776cb4f5>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<0000000038b640ca>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<0000000038b640ca>] check_hung_task kernel/hung_task.c:125 [inline]
[<0000000038b640ca>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<0000000038b640ca>] watchdog+0x661/0xae0 kernel/hung_task.c:239
[<00000000e4c5a241>] kthread+0x278/0x310 kernel/kthread.c:211
[<00000000a3490d9c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 3047 Comm: syz-executor.1 Not tainted 4.9.168+ #39
task: 00000000e652a0d7 task.stack: 00000000526ba1fc
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] filter_irq_stacks
mm/kasan/kasan.c:488 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] save_stack
mm/kasan/kasan.c:506 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] set_track
mm/kasan/kasan.c:517 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>]
kasan_slab_free+0xc3/0x190 mm/kasan/kasan.c:582
RSP: 0018:ffff8801d5f572e8 EFLAGS: 00000297
RAX: 0000000000000015 RBX: ffff8801d0c0f360 RCX: 0000000000000011
RDX: ffffffff822b21d8 RSI: ffff8801d5f57300 RDI: 0000000000000000
RBP: ffff8801d5f57518 R08: 1ffff1003abeae4c R09: ffff8801d5f57260
R10: ffffed003abeae53 R11: ffff8801d5f5729f R12: ffff8801da577500
R13: ffff8801d0c0f280 R14: ffff8801da577500 R15: 0000000000000246
FS: 00007f8dadc15700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001962308 CR3: 00000001d4292000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000004000000015 c ffff8801d5f57300 c ffffffff00000000 c ffffffff810774d6 c
ffffffff814f8540 c ffffffff814f4e3e c ffffffff822c537f c ffffffff822c7f4e c
ffffffff823d6cbe c ffffffff823d7424 c ffffffff823613ab c ffffffff823bac3b c
Call Trace:
[<000000006d5d9121>] slab_free_hook mm/slub.c:1355 [inline]
[<000000006d5d9121>] slab_free_freelist_hook mm/slub.c:1377 [inline]
[<000000006d5d9121>] slab_free mm/slub.c:2958 [inline]
[<000000006d5d9121>] kmem_cache_free+0xbe/0x310 mm/slub.c:2980
[<000000009c08eb20>] kfree_skbmem+0x9f/0x100 net/core/skbuff.c:627
[<00000000b97e210d>] __kfree_skb net/core/skbuff.c:689 [inline]
[<00000000b97e210d>] consume_skb+0xce/0x340 net/core/skbuff.c:761
[<00000000bde9c0d7>] netlink_broadcast_filtered+0x2ae/0x9d0
net/netlink/af_netlink.c:1486
[<0000000063e06a0e>] netlink_broadcast+0x44/0x60
net/netlink/af_netlink.c:1508
[<00000000c0ec7743>] rtnetlink_send+0x9b/0x100 net/core/rtnetlink.c:651
[<0000000007b53fb0>] tcf_add_notify net/sched/act_api.c:941 [inline]
[<0000000007b53fb0>] tcf_action_add net/sched/act_api.c:958 [inline]
[<0000000007b53fb0>] tc_ctl_action+0x46b/0x580 net/sched/act_api.c:993
[<0000000008722ed7>] rtnetlink_rcv_msg+0x506/0x6e0
net/core/rtnetlink.c:4081
[<0000000023a42247>] netlink_rcv_skb+0xd4/0x2e0
net/netlink/af_netlink.c:2365
[<00000000a525f8e1>] rtnetlink_rcv+0x2b/0x40 net/core/rtnetlink.c:4087
[<00000000313b5024>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<00000000313b5024>] netlink_unicast+0x4c6/0x6d0
net/netlink/af_netlink.c:1311
[<000000001984b03c>] netlink_sendmsg+0x6b6/0xc80
net/netlink/af_netlink.c:1859
[<000000008e890726>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<000000008e890726>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<00000000b4df4c4a>] ___sys_sendmsg+0x78b/0x8b0 net/socket.c:1983
[<000000001866c8cf>] __sys_sendmsg+0xc8/0x170 net/socket.c:2017
[<00000000fb6824bd>] SYSC_sendmsg net/socket.c:2028 [inline]
[<00000000fb6824bd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2024
[<000000000e4bfb70>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<000000001dd370a3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c85 cd0 cfd cff cff c48 c8d c85 ce8 cfd cff cff c48 c89
c85 cd8 cfd cff cff ce8 c80 cef cb7 cff c8b c85 cd0 cfd cff
cff c85 cc0 c74 c39 c48 c8b cb5 cd8 cfd cff cff c31 cc9
c<48> c63 cd1 c48 c8b c14 cd6 c48 c81 cfa c10 c1e c81 c82
c72 c5a c48 c81 cfa cce c58 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 286f9710 Merge 4.9.168 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1147729f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=416e7ad1468db859
dashboard link: https://syzkaller.appspot.com/bug?extid=6e19e2b1b7efd2e94d5a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1644745b200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6e19e2...@syzkaller.appspotmail.com
audit: type=1400 audit(1554981473.565:5): avc: denied { associate } for
pid=2174 comm="syz-executor.5" name="syz5"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
INFO: task syz-executor.3:2166 blocked for more than 140 seconds.
Not tainted 4.9.168+ #39
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3 D25016 2166 1 0x00000004
ffff8801cc538000 ffff8801d425dd80 ffff8801db721000 ffff8801d40c8000
ffff8801db721018 ffff8801d4a0f9b8 ffffffff8280028e ffff8801cc5388c8
ffff8801cc5388a0 00ff8801cc5388d0 ffff8801db7218f0 1ffff1003a941f26
Call Trace:
[<00000000ac3078e1>] schedule+0x92/0x1c0 kernel/sched/core.c:3546
[<000000004b3f9b38>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3579
[<0000000021dd537a>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<0000000021dd537a>] mutex_lock_nested+0x38d/0x920
kernel/locking/mutex.c:621
[<00000000e039a886>] rtnl_lock net/core/rtnetlink.c:70 [inline]
[<00000000e039a886>] rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
[<00000000313b5024>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<00000000313b5024>] netlink_unicast+0x4c6/0x6d0
net/netlink/af_netlink.c:1311
[<000000001984b03c>] netlink_sendmsg+0x6b6/0xc80
net/netlink/af_netlink.c:1859
[<000000008e890726>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<000000008e890726>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<0000000069d44983>] SYSC_sendto net/socket.c:1684 [inline]
[<0000000069d44983>] SyS_sendto+0x201/0x340 net/socket.c:1652
[<000000000e4bfb70>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<000000001dd370a3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<000000006b1552fa>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<000000006b1552fa>]
watchdog+0x13c/0xae0 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<000000006fc3c96a>]
debug_show_all_locks+0x7f/0x21f kernel/locking/lockdep.c:4339
2 locks held by getty/2016:
#0: (&tty->ldisc_sem){++++++}, at: [<000000005423bdb8>]
ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:377
#1: (&ldata->atomic_read_lock){+.+...}, at: [<0000000012ec4b74>]
n_tty_read+0x1fe/0x1820 drivers/tty/n_tty.c:2156
1 lock held by syz-executor.3/2166:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.0/2169:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.4/2175:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
3 locks held by kworker/1:2/2505:
#0: ("%s"("ipv6_addrconf")){.+.+..}, at: [<00000000025a9415>]
process_one_work+0x790/0x1600 kernel/workqueue.c:2107
#1: ((addr_chk_work).work){+.+...}, at: [<00000000873bbd45>]
process_one_work+0x7ce/0x1600 kernel/workqueue.c:2111
#2: (rtnl_mutex){+.+.+.}, at: [<00000000d38904f1>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
1 lock held by syz-executor.1/3063:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3052:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3060:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.5/3065:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3059:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3061:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
1 lock held by syz-executor.2/3067:
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>] rtnl_lock
net/core/rtnetlink.c:70 [inline]
#0: (rtnl_mutex){+.+.+.}, at: [<00000000e039a886>]
rtnetlink_rcv+0x1c/0x40 net/core/rtnetlink.c:4086
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.168+ #39
ffff8801d98d7cc8 ffffffff81b4f5d1 0000000000000000 0000000000000000
0000000000000000 ffffffff81097401 dffffc0000000000 ffff8801d98d7d00
ffffffff81b5a86c 0000000000000000 0000000000000000 0000000000000000
Call Trace:
[<0000000014e53332>] __dump_stack lib/dump_stack.c:15 [inline]
[<0000000014e53332>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<00000000d65eb0a7>] nmi_cpu_backtrace.cold+0x47/0x87
lib/nmi_backtrace.c:99
[<00000000eb216681>] nmi_trigger_cpumask_backtrace+0x124/0x155
lib/nmi_backtrace.c:60
[<00000000776cb4f5>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<0000000038b640ca>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<0000000038b640ca>] check_hung_task kernel/hung_task.c:125 [inline]
[<0000000038b640ca>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<0000000038b640ca>] watchdog+0x661/0xae0 kernel/hung_task.c:239
[<00000000e4c5a241>] kthread+0x278/0x310 kernel/kthread.c:211
[<00000000a3490d9c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 3047 Comm: syz-executor.1 Not tainted 4.9.168+ #39
task: 00000000e652a0d7 task.stack: 00000000526ba1fc
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] filter_irq_stacks
mm/kasan/kasan.c:488 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] save_stack
mm/kasan/kasan.c:506 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>] set_track
mm/kasan/kasan.c:517 [inline]
RIP: 0010:[<ffffffff814f8553>] c [<000000001cea5778>]
kasan_slab_free+0xc3/0x190 mm/kasan/kasan.c:582
RSP: 0018:ffff8801d5f572e8 EFLAGS: 00000297
RAX: 0000000000000015 RBX: ffff8801d0c0f360 RCX: 0000000000000011
RDX: ffffffff822b21d8 RSI: ffff8801d5f57300 RDI: 0000000000000000
RBP: ffff8801d5f57518 R08: 1ffff1003abeae4c R09: ffff8801d5f57260
R10: ffffed003abeae53 R11: ffff8801d5f5729f R12: ffff8801da577500
R13: ffff8801d0c0f280 R14: ffff8801da577500 R15: 0000000000000246
FS: 00007f8dadc15700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001962308 CR3: 00000001d4292000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000004000000015 c ffff8801d5f57300 c ffffffff00000000 c ffffffff810774d6 c
ffffffff814f8540 c ffffffff814f4e3e c ffffffff822c537f c ffffffff822c7f4e c
ffffffff823d6cbe c ffffffff823d7424 c ffffffff823613ab c ffffffff823bac3b c
Call Trace:
[<000000006d5d9121>] slab_free_hook mm/slub.c:1355 [inline]
[<000000006d5d9121>] slab_free_freelist_hook mm/slub.c:1377 [inline]
[<000000006d5d9121>] slab_free mm/slub.c:2958 [inline]
[<000000006d5d9121>] kmem_cache_free+0xbe/0x310 mm/slub.c:2980
[<000000009c08eb20>] kfree_skbmem+0x9f/0x100 net/core/skbuff.c:627
[<00000000b97e210d>] __kfree_skb net/core/skbuff.c:689 [inline]
[<00000000b97e210d>] consume_skb+0xce/0x340 net/core/skbuff.c:761
[<00000000bde9c0d7>] netlink_broadcast_filtered+0x2ae/0x9d0
net/netlink/af_netlink.c:1486
[<0000000063e06a0e>] netlink_broadcast+0x44/0x60
net/netlink/af_netlink.c:1508
[<00000000c0ec7743>] rtnetlink_send+0x9b/0x100 net/core/rtnetlink.c:651
[<0000000007b53fb0>] tcf_add_notify net/sched/act_api.c:941 [inline]
[<0000000007b53fb0>] tcf_action_add net/sched/act_api.c:958 [inline]
[<0000000007b53fb0>] tc_ctl_action+0x46b/0x580 net/sched/act_api.c:993
[<0000000008722ed7>] rtnetlink_rcv_msg+0x506/0x6e0
net/core/rtnetlink.c:4081
[<0000000023a42247>] netlink_rcv_skb+0xd4/0x2e0
net/netlink/af_netlink.c:2365
[<00000000a525f8e1>] rtnetlink_rcv+0x2b/0x40 net/core/rtnetlink.c:4087
[<00000000313b5024>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<00000000313b5024>] netlink_unicast+0x4c6/0x6d0
net/netlink/af_netlink.c:1311
[<000000001984b03c>] netlink_sendmsg+0x6b6/0xc80
net/netlink/af_netlink.c:1859
[<000000008e890726>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<000000008e890726>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<00000000b4df4c4a>] ___sys_sendmsg+0x78b/0x8b0 net/socket.c:1983
[<000000001866c8cf>] __sys_sendmsg+0xc8/0x170 net/socket.c:2017
[<00000000fb6824bd>] SYSC_sendmsg net/socket.c:2028 [inline]
[<00000000fb6824bd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2024
[<000000000e4bfb70>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<000000001dd370a3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c85 cd0 cfd cff cff c48 c8d c85 ce8 cfd cff cff c48 c89
c85 cd8 cfd cff cff ce8 c80 cef cb7 cff c8b c85 cd0 cfd cff
cff c85 cc0 c74 c39 c48 c8b cb5 cd8 cfd cff cff c31 cc9
c<48> c63 cd1 c48 c8b c14 cd6 c48 c81 cfa c10 c1e c81 c82
c72 c5a c48 c81 cfa cce c58 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages