Hello,
syzbot found the following crash on:
HEAD commit: f3f3457d
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=17be3a69800000
kernel config:
https://syzkaller.appspot.com/x/.config?x=4fadd453521adb
dashboard link:
https://syzkaller.appspot.com/bug?extid=df6d6b709051bfd2015d
compiler: gcc (GCC) 7.1.1 20170620
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=13345051800000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=11053161800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+df6d6b...@syzkaller.appspotmail.com
===============================
[ INFO: suspicious RCU usage. ]
4.9.73-gf3f3457 #1 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1471 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
5 locks held by syzkaller123889/3341:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff8149671b>]
vm_mmap_pgoff+0x12b/0x1b0 mm/util.c:303
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
lockdep_copy_map include/linux/lockdep.h:165 [inline]
#1: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [<ffffffff812a3894>]
call_timer_fn+0xe4/0x700 kernel/time/timer.c:1311
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
spin_lock_bh include/linux/spinlock.h:307 [inline]
#2: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff83471275>]
fib6_run_gc+0xa5/0x2c0 net/ipv6/ip6_fib.c:1816
#3: (rcu_read_lock){......}, at: [<ffffffff8346b880>]
__fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:740
#4: (&tb->tb6_lock){++-...}, at: [<ffffffff8346b960>]
__fib6_clean_all+0xe0/0x230 net/ipv6/ip6_fib.c:1717
stack backtrace:
CPU: 0 PID: 3341 Comm: syzkaller123889 Not tainted 4.9.73-gf3f3457 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801db207900 ffffffff81d922b9 ffff8801c8284800 0000000000000000
0000000000000002 ffffffff83f4ae40 ffffed003b640f70 ffff8801db207930
ffffffff81236529 ffff8801d06d0700 ffff8801d06d0700 dffffc0000000000
Call Trace:
<IRQ> [ 71.036090] [<ffffffff81d922b9>] __dump_stack
lib/dump_stack.c:15 [inline]
<IRQ> [ 71.036090] [<ffffffff81d922b9>] dump_stack+0xc1/0x128
lib/dump_stack.c:51
[<ffffffff81236529>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4455
[<ffffffff8347097b>] fib6_del+0x6ab/0xa30 net/ipv6/ip6_fib.c:1470
[<ffffffff83471036>] fib6_clean_node+0x336/0x4a0 net/ipv6/ip6_fib.c:1657
[<ffffffff83467f0b>] fib6_walk_continue+0x39b/0x620 net/ipv6/ip6_fib.c:1583
[<ffffffff8346a8a9>] fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628
[<ffffffff8346aa05>] fib6_clean_tree+0xe5/0x130 net/ipv6/ip6_fib.c:1702
[<ffffffff8346b979>] __fib6_clean_all+0xf9/0x230 net/ipv6/ip6_fib.c:1718
[<ffffffff834712e7>] fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
[<ffffffff834712e7>] fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
[<ffffffff834714ac>] fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1841
[<ffffffff812a3914>] call_timer_fn+0x164/0x700 kernel/time/timer.c:1321
[<ffffffff812a5782>] expire_timers kernel/time/timer.c:1361 [inline]
[<ffffffff812a5782>] __run_timers kernel/time/timer.c:1660 [inline]
[<ffffffff812a5782>] run_timer_softirq+0x6a2/0x1660
kernel/time/timer.c:1686
[<ffffffff838b5d76>] __do_softirq+0x206/0x951 kernel/softirq.c:284
[<ffffffff81144e85>] invoke_softirq kernel/softirq.c:364 [inline]
[<ffffffff81144e85>] irq_exit+0x165/0x190 kernel/softirq.c:405
[<ffffffff838b498b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
[<ffffffff838b498b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:960
[<ffffffff838b0d5c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:704
<EOI> [ 71.271115] [<ffffffff838aedef>] ? arch_local_irq_restore
arch/x86/include/asm/paravirt.h:767 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ? __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:162 [inline]
<EOI> [ 71.271115] [<ffffffff838aedef>] ?
_raw_spin_unlock_irqrestore+0x5f/0x70 kernel/locking/spinlock.c:191
[<ffffffff81dfc582>] __debug_check_no_obj_freed lib/debugobjects.c:730
[inline]
[<ffffffff81dfc582>] debug_check_no_obj_freed+0x2c2/0xa10
lib/debugobjects.c:746
[<ffffffff81448995>] free_pages_prepare mm/page_alloc.c:1061 [inline]
[<ffffffff81448995>] __free_pages_ok+0x1e5/0x16c0 mm/page_alloc.c:1263
[<ffffffff81449ece>] free_compound_page+0x5e/0x70 mm/page_alloc.c:594
[<ffffffff81552079>] free_transhuge_page+0x99/0xc0 mm/huge_memory.c:2228
[<ffffffff81462a07>] __put_compound_page+0x87/0xb0 mm/swap.c:94
[<ffffffff814636b4>] release_pages+0x2e4/0x930 mm/swap.c:763
[<ffffffff81508183>] free_pages_and_swap_cache+0x113/0x160
mm/swap_state.c:273
[<ffffffff814c0054>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:259
[<ffffffff814c3933>] tlb_flush_mmu mm/memory.c:268 [inline]
[<ffffffff814c3933>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:279
[<ffffffff814da4fe>] unmap_region+0x29e/0x3a0 mm/mmap.c:2506
[<ffffffff814de661>] do_munmap+0x721/0xeb0 mm/mmap.c:2702
[<ffffffff814e497d>] mmap_region+0x14d/0xfd0 mm/mmap.c:1635
[<ffffffff814e5d7b>] do_mmap+0x57b/0xbe0 mm/mmap.c:1473
[<ffffffff8149675b>] do_mmap_pgoff include/linux/mm.h:2019 [inline]
[<ffffffff8149675b>] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
[<ffffffff814dfe20>] SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
[<ffffffff814dfe20>] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
[<ffffffff8105f216>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8105f216>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches