suspicious RCU usage at net/ipv6/ip6_fib.c:LINE
10 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:00:32 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f3f3457d
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17be3a69800000
kernel config: https://syzkaller.appspot.com/x/.config?x=4fadd453521adb
dashboard link: https://syzkaller.appspot.com/bug?extid=df6d6b709051bfd2015d
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13345051800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11053161800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+df6d6b...@syzkaller.appspotmail.com
===============================
[ INFO: suspicious RCU usage. ]
4.9.73-gf3f3457 #1 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1471 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
5 locks held by syzkaller123889/3341:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff8149671b>]
vm_mmap_pgoff+0x12b/0x1b0 mm/util.c:303
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
lockdep_copy_map include/linux/lockdep.h:165 [inline]
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
call_timer_fn+0xe4/0x700 kernel/time/timer.c:1311
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
spin_lock_bh include/linux/spinlock.h:307 [inline]
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
fib6_run_gc+0xa5/0x2c0 net/ipv6/ip6_fib.c:1816
#3: (rcu_read_lock){......}, at: [<ffffffff8346b880>]
__fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:740
#4: (&tb->tb6_lock){++-...}, at: [<ffffffff8346b960>]
__fib6_clean_all+0xe0/0x230 net/ipv6/ip6_fib.c:1717
stack backtrace:
CPU: 0 PID: 3341 Comm: syzkaller123889 Not tainted 4.9.73-gf3f3457 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801db207900 ffffffff81d922b9 ffff8801c8284800 0000000000000000
0000000000000002 ffffffff83f4ae40 ffffed003b640f70 ffff8801db207930
ffffffff81236529 ffff8801d06d0700 ffff8801d06d0700 dffffc0000000000
Call Trace:
<IRQ> [ 71.036090] [<ffffffff81d922b9>] __dump_stack
lib/dump_stack.c:15 [inline]
<IRQ> [ 71.036090] [<ffffffff81d922b9>] dump_stack+0xc1/0x128
lib/dump_stack.c:51
[<ffffffff81236529>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4455
[<ffffffff8347097b>] fib6_del+0x6ab/0xa30 net/ipv6/ip6_fib.c:1470
[<ffffffff83471036>] fib6_clean_node+0x336/0x4a0 net/ipv6/ip6_fib.c:1657
[<ffffffff83467f0b>] fib6_walk_continue+0x39b/0x620 net/ipv6/ip6_fib.c:1583
[<ffffffff8346a8a9>] fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628
[<ffffffff8346aa05>] fib6_clean_tree+0xe5/0x130 net/ipv6/ip6_fib.c:1702
[<ffffffff8346b979>] __fib6_clean_all+0xf9/0x230 net/ipv6/ip6_fib.c:1718
[<ffffffff834712e7>] fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
[<ffffffff834712e7>] fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
[<ffffffff834714ac>] fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1841
[<ffffffff812a3914>] call_timer_fn+0x164/0x700 kernel/time/timer.c:1321
[<ffffffff812a5782>] expire_timers kernel/time/timer.c:1361 [inline]
[<ffffffff812a5782>] __run_timers kernel/time/timer.c:1660 [inline]
[<ffffffff812a5782>] run_timer_softirq+0x6a2/0x1660
kernel/time/timer.c:1686
[<ffffffff838b5d76>] __do_softirq+0x206/0x951 kernel/softirq.c:284
[<ffffffff81144e85>] invoke_softirq kernel/softirq.c:364 [inline]
[<ffffffff81144e85>] irq_exit+0x165/0x190 kernel/softirq.c:405
[<ffffffff838b498b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
[<ffffffff838b498b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:960
[<ffffffff838b0d5c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:704
<EOI> [ 71.271115] [<ffffffff838aedef>] ? arch_local_irq_restore
arch/x86/include/asm/paravirt.h:767 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ? __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:162 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ?
_raw_spin_unlock_irqrestore+0x5f/0x70 kernel/locking/spinlock.c:191
[<ffffffff81dfc582>] __debug_check_no_obj_freed lib/debugobjects.c:730
[inline]
[<ffffffff81dfc582>] debug_check_no_obj_freed+0x2c2/0xa10
lib/debugobjects.c:746
[<ffffffff81448995>] free_pages_prepare mm/page_alloc.c:1061 [inline]
[<ffffffff81448995>] __free_pages_ok+0x1e5/0x16c0 mm/page_alloc.c:1263
[<ffffffff81449ece>] free_compound_page+0x5e/0x70 mm/page_alloc.c:594
[<ffffffff81552079>] free_transhuge_page+0x99/0xc0 mm/huge_memory.c:2228
[<ffffffff81462a07>] __put_compound_page+0x87/0xb0 mm/swap.c:94
[<ffffffff814636b4>] release_pages+0x2e4/0x930 mm/swap.c:763
[<ffffffff81508183>] free_pages_and_swap_cache+0x113/0x160
mm/swap_state.c:273
[<ffffffff814c0054>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:259
[<ffffffff814c3933>] tlb_flush_mmu mm/memory.c:268 [inline]
[<ffffffff814c3933>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:279
[<ffffffff814da4fe>] unmap_region+0x29e/0x3a0 mm/mmap.c:2506
[<ffffffff814de661>] do_munmap+0x721/0xeb0 mm/mmap.c:2702
[<ffffffff814e497d>] mmap_region+0x14d/0xfd0 mm/mmap.c:1635
[<ffffffff814e5d7b>] do_mmap+0x57b/0xbe0 mm/mmap.c:1473
[<ffffffff8149675b>] do_mmap_pgoff include/linux/mm.h:2019 [inline]
[<ffffffff8149675b>] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
[<ffffffff814dfe20>] SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
[<ffffffff814dfe20>] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
[<ffffffff8105f216>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8105f216>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: f3f3457d
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17be3a69800000
kernel config: https://syzkaller.appspot.com/x/.config?x=4fadd453521adb
dashboard link: https://syzkaller.appspot.com/bug?extid=df6d6b709051bfd2015d
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13345051800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11053161800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+df6d6b...@syzkaller.appspotmail.com
===============================
[ INFO: suspicious RCU usage. ]
4.9.73-gf3f3457 #1 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1471 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
5 locks held by syzkaller123889/3341:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff8149671b>]
vm_mmap_pgoff+0x12b/0x1b0 mm/util.c:303
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
lockdep_copy_map include/linux/lockdep.h:165 [inline]
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
call_timer_fn+0xe4/0x700 kernel/time/timer.c:1311
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
spin_lock_bh include/linux/spinlock.h:307 [inline]
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
fib6_run_gc+0xa5/0x2c0 net/ipv6/ip6_fib.c:1816
#3: (rcu_read_lock){......}, at: [<ffffffff8346b880>]
__fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:740
#4: (&tb->tb6_lock){++-...}, at: [<ffffffff8346b960>]
__fib6_clean_all+0xe0/0x230 net/ipv6/ip6_fib.c:1717
stack backtrace:
CPU: 0 PID: 3341 Comm: syzkaller123889 Not tainted 4.9.73-gf3f3457 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801db207900 ffffffff81d922b9 ffff8801c8284800 0000000000000000
0000000000000002 ffffffff83f4ae40 ffffed003b640f70 ffff8801db207930
ffffffff81236529 ffff8801d06d0700 ffff8801d06d0700 dffffc0000000000
Call Trace:
<IRQ> [ 71.036090] [<ffffffff81d922b9>] __dump_stack
lib/dump_stack.c:15 [inline]
<IRQ> [ 71.036090] [<ffffffff81d922b9>] dump_stack+0xc1/0x128
lib/dump_stack.c:51
[<ffffffff81236529>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4455
[<ffffffff8347097b>] fib6_del+0x6ab/0xa30 net/ipv6/ip6_fib.c:1470
[<ffffffff83471036>] fib6_clean_node+0x336/0x4a0 net/ipv6/ip6_fib.c:1657
[<ffffffff83467f0b>] fib6_walk_continue+0x39b/0x620 net/ipv6/ip6_fib.c:1583
[<ffffffff8346a8a9>] fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628
[<ffffffff8346aa05>] fib6_clean_tree+0xe5/0x130 net/ipv6/ip6_fib.c:1702
[<ffffffff8346b979>] __fib6_clean_all+0xf9/0x230 net/ipv6/ip6_fib.c:1718
[<ffffffff834712e7>] fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
[<ffffffff834712e7>] fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
[<ffffffff834714ac>] fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1841
[<ffffffff812a3914>] call_timer_fn+0x164/0x700 kernel/time/timer.c:1321
[<ffffffff812a5782>] expire_timers kernel/time/timer.c:1361 [inline]
[<ffffffff812a5782>] __run_timers kernel/time/timer.c:1660 [inline]
[<ffffffff812a5782>] run_timer_softirq+0x6a2/0x1660
kernel/time/timer.c:1686
[<ffffffff838b5d76>] __do_softirq+0x206/0x951 kernel/softirq.c:284
[<ffffffff81144e85>] invoke_softirq kernel/softirq.c:364 [inline]
[<ffffffff81144e85>] irq_exit+0x165/0x190 kernel/softirq.c:405
[<ffffffff838b498b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
[<ffffffff838b498b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:960
[<ffffffff838b0d5c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:704
<EOI> [ 71.271115] [<ffffffff838aedef>] ? arch_local_irq_restore
arch/x86/include/asm/paravirt.h:767 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ? __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:162 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ?
_raw_spin_unlock_irqrestore+0x5f/0x70 kernel/locking/spinlock.c:191
[<ffffffff81dfc582>] __debug_check_no_obj_freed lib/debugobjects.c:730
[inline]
[<ffffffff81dfc582>] debug_check_no_obj_freed+0x2c2/0xa10
lib/debugobjects.c:746
[<ffffffff81448995>] free_pages_prepare mm/page_alloc.c:1061 [inline]
[<ffffffff81448995>] __free_pages_ok+0x1e5/0x16c0 mm/page_alloc.c:1263
[<ffffffff81449ece>] free_compound_page+0x5e/0x70 mm/page_alloc.c:594
[<ffffffff81552079>] free_transhuge_page+0x99/0xc0 mm/huge_memory.c:2228
[<ffffffff81462a07>] __put_compound_page+0x87/0xb0 mm/swap.c:94
[<ffffffff814636b4>] release_pages+0x2e4/0x930 mm/swap.c:763
[<ffffffff81508183>] free_pages_and_swap_cache+0x113/0x160
mm/swap_state.c:273
[<ffffffff814c0054>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:259
[<ffffffff814c3933>] tlb_flush_mmu mm/memory.c:268 [inline]
[<ffffffff814c3933>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:279
[<ffffffff814da4fe>] unmap_region+0x29e/0x3a0 mm/mmap.c:2506
[<ffffffff814de661>] do_munmap+0x721/0xeb0 mm/mmap.c:2702
[<ffffffff814e497d>] mmap_region+0x14d/0xfd0 mm/mmap.c:1635
[<ffffffff814e5d7b>] do_mmap+0x57b/0xbe0 mm/mmap.c:1473
[<ffffffff8149675b>] do_mmap_pgoff include/linux/mm.h:2019 [inline]
[<ffffffff8149675b>] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
[<ffffffff814dfe20>] SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
[<ffffffff814dfe20>] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
[<ffffffff8105f216>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8105f216>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 13, 2019, 8:00:42 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1849cd3d
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1610f871800000
kernel config: https://syzkaller.appspot.com/x/.config?x=44509e3077d6939
dashboard link: https://syzkaller.appspot.com/bug?extid=2688ec90488bade79658
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17b54659800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dd2a39800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
===============================
[ INFO: suspicious RCU usage. ]
-------------------------------
net/ipv6/ip6_fib.c:1466 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
5 locks held by syzkaller158887/3324:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810dc5f0>]
__do_page_fault+0x290/0xa00 arch/x86/mm/fault.c:1184
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff8129fdbc>]
lockdep_copy_map include/linux/lockdep.h:165 [inline]
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff8129fdbc>]
call_timer_fn+0xdc/0x860 kernel/time/timer.c:1168
#2: (fib6_gc_lock){+.-...}, at: [<ffffffff83358a6a>] spin_lock_bh
include/linux/spinlock.h:307 [inline]
#2: (fib6_gc_lock){+.-...}, at: [<ffffffff83358a6a>]
fib6_run_gc+0x3a/0x230 net/ipv6/ip6_fib.c:1811
#3: (rcu_read_lock){......}, at: [<ffffffff833531b0>]
__fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:739
#4: (&tb->tb6_lock){++-...}, at: [<ffffffff83353295>]
__fib6_clean_all+0xe5/0x230 net/ipv6/ip6_fib.c:1712
stack backtrace:
CPU: 1 PID: 3324 Comm: syzkaller158887 Not tainted 4.4.111-g1849cd3 #26
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 ffdc50c0e5d82798 ffff8801db307968 ffffffff81d0509d
Google 01/01/2011
ffff8801d18b17c0 0000000000000000 0000000000000001 ffffffff83d10520
ffffed003b660f7a ffff8801db307998 ffffffff81232909 ffff8800b7b29880
Call Trace:
<IRQ> [<ffffffff81d0509d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81d0509d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81232909>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4305
[<ffffffff83358193>] fib6_del+0x673/0xa00 net/ipv6/ip6_fib.c:1465
[<ffffffff8335885a>] fib6_clean_node+0x33a/0x4e0 net/ipv6/ip6_fib.c:1652
[<ffffffff8334fc8b>] fib6_walk_continue+0x39b/0x620 net/ipv6/ip6_fib.c:1578
[<ffffffff83350029>] fib6_walk+0x89/0xd0 net/ipv6/ip6_fib.c:1623
[<ffffffff83350152>] fib6_clean_tree+0xe2/0x130 net/ipv6/ip6_fib.c:1697
[<ffffffff833532ae>] __fib6_clean_all+0xfe/0x230 net/ipv6/ip6_fib.c:1713
[<ffffffff83358adf>] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline]
[<ffffffff83358adf>] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821
[<ffffffff83358c7c>] fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1836
[<ffffffff8129fe6b>] call_timer_fn+0x18b/0x860 kernel/time/timer.c:1178
[<ffffffff812a1f74>] __run_timers kernel/time/timer.c:1254 [inline]
[<ffffffff812a1f74>] run_timer_softirq+0x604/0xbb0 kernel/time/timer.c:1437
[<ffffffff83778dbd>] __do_softirq+0x24d/0xa59 kernel/softirq.c:273
[<ffffffff8113da09>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113da09>] irq_exit+0x119/0x140 kernel/softirq.c:391
[<ffffffff837784fb>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff837784fb>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff83777450>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:725
<EOI> [<ffffffff814a2e9c>] ? clear_huge_page+0x9c/0x4b0 mm/memory.c:3843
[<ffffffff811a4cc9>] ___might_sleep+0x329/0x460 kernel/sched/core.c:7938
[<ffffffff814a2eaf>] clear_huge_page+0xaf/0x4b0 mm/memory.c:3843
[<ffffffff8150d400>] __do_huge_pmd_anonymous_page mm/huge_memory.c:739
[inline]
[<ffffffff8150d400>] do_huge_pmd_anonymous_page+0x270/0xa10
mm/huge_memory.c:867
[<ffffffff814a1c0a>] create_huge_pmd mm/memory.c:3242 [inline]
[<ffffffff814a1c0a>] __handle_mm_fault mm/memory.c:3361 [inline]
[<ffffffff814a1c0a>] handle_mm_fault+0x271a/0x3190 mm/memory.c:3455
[<ffffffff810dc6bb>] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245
[<ffffffff810dcd87>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308
[<ffffffff83776cc8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1021
Reply all
Reply to author
Forward
0 new messages