WARNING: ODEBUG bug in xfrm_policy_destroy
7 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:33 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1bdb20fc ANDROID: sdcardfs: Add option to drop unused dent..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=140ad26d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=88f924cb59937510
dashboard link: https://syzkaller.appspot.com/bug?extid=e46535f5f0913f55b44d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1101b6f5400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e46535...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3677 at lib/debugobjects.c:263
debug_print_object+0x181/0x210 lib/debugobjects.c:260()
ODEBUG: activate active (active state 1) object type: rcu_head
hint: (null)
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3677 Comm: syz-executor0 Not tainted 4.4.162+ #119
0000000000000000 86a9890b261a2234 ffff8801db707278 ffffffff81aa526d
ffffffff828354e0 ffff8801d5578000 ffffffff8292a6c0 0000000000000009
0000000000000107 ffff8801db707338 ffffffff813a0e94 0000000041b58ab3
Call Trace:
<IRQ> [<ffffffff81aa526d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aa526d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff813a0e94>] panic+0x19e/0x359 kernel/panic.c:112
[<ffffffff813a1084>] warn_slowpath_common.cold.6+0x20/0x20
kernel/panic.c:455
[<ffffffff810d400f>] warn_slowpath_fmt+0xbf/0x100 kernel/panic.c:471
[<ffffffff81b03a31>] debug_print_object+0x181/0x210 lib/debugobjects.c:260
[<ffffffff81b04ada>] debug_object_activate+0x31a/0x480
lib/debugobjects.c:418
[<ffffffff81242175>] debug_rcu_head_queue kernel/rcu/rcu.h:75 [inline]
[<ffffffff81242175>] __call_rcu.constprop.59+0x35/0x930
kernel/rcu/tree.c:3059
[<ffffffff81242a82>] call_rcu+0x12/0x20 kernel/rcu/tree_plugin.h:662
[<ffffffff82541727>] xfrm_policy_destroy+0x77/0x90
net/xfrm/xfrm_policy.c:323
[<ffffffff8254ccf9>] xfrm_pol_put include/net/xfrm.h:797 [inline]
[<ffffffff8254ccf9>] xfrm_pols_put include/net/xfrm.h:804 [inline]
[<ffffffff8254ccf9>] __xfrm_policy_check+0xce9/0x1780
net/xfrm/xfrm_policy.c:2587
[<ffffffff8247af0d>] __xfrm_policy_check2 include/net/xfrm.h:1067 [inline]
[<ffffffff8247af0d>] xfrm_policy_check include/net/xfrm.h:1076 [inline]
[<ffffffff8247af0d>] xfrm4_policy_check include/net/xfrm.h:1081 [inline]
[<ffffffff8247af0d>] udp_queue_rcv_skb+0x8cd/0x1530 net/ipv4/udp.c:1520
[<ffffffff8247cb0f>] __udp4_lib_rcv+0x4df/0x23b0 net/ipv4/udp.c:1830
[<ffffffff82480011>] udp_rcv+0x21/0x30 net/ipv4/udp.c:2043
[<ffffffff823af240>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b11fc>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b11fc>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b11fc>] ip_local_deliver+0x1ac/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b0049>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b0049>] ip_rcv_finish+0x759/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b1c79>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b1c79>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b1c79>] ip_rcv+0x899/0xfc0 net/ipv4/ip_input.c:455
[<ffffffff82227e28>] __netif_receive_skb_core+0x12c8/0x2820
net/core/dev.c:4041
[<ffffffff822304db>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
[<ffffffff8223787a>] process_backlog+0x20a/0x670 net/core/dev.c:4669
[<ffffffff82236c87>] napi_poll net/core/dev.c:4907 [inline]
[<ffffffff82236c87>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
[<ffffffff82714f9c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8271319c>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
<EOI> [<ffffffff810e1a84>] do_softirq.part.2+0x54/0x60
kernel/softirq.c:317
[<ffffffff810e1bd9>] do_softirq+0x19/0x20 kernel/softirq.c:320
[<ffffffff8222648c>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3675
[<ffffffff81e1b2ea>] tun_get_user+0xf3a/0x2690 drivers/net/tun.c:1264
[<ffffffff81e1cc55>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1283
[<ffffffff81491c33>] do_iter_readv_writev+0x133/0x1d0 fs/read_write.c:664
[<ffffffff81492f65>] do_readv_writev+0x335/0x6f0 fs/read_write.c:808
[<ffffffff8149344b>] vfs_writev+0x7b/0xb0 fs/read_write.c:847
[<ffffffff81495929>] SYSC_writev fs/read_write.c:880 [inline]
[<ffffffff81495929>] SyS_writev+0xd9/0x250 fs/read_write.c:872
[<ffffffff827120a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 1bdb20fc ANDROID: sdcardfs: Add option to drop unused dent..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=140ad26d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=88f924cb59937510
dashboard link: https://syzkaller.appspot.com/bug?extid=e46535f5f0913f55b44d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1101b6f5400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e46535...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3677 at lib/debugobjects.c:263
debug_print_object+0x181/0x210 lib/debugobjects.c:260()
ODEBUG: activate active (active state 1) object type: rcu_head
hint: (null)
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3677 Comm: syz-executor0 Not tainted 4.4.162+ #119
0000000000000000 86a9890b261a2234 ffff8801db707278 ffffffff81aa526d
ffffffff828354e0 ffff8801d5578000 ffffffff8292a6c0 0000000000000009
0000000000000107 ffff8801db707338 ffffffff813a0e94 0000000041b58ab3
Call Trace:
<IRQ> [<ffffffff81aa526d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aa526d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff813a0e94>] panic+0x19e/0x359 kernel/panic.c:112
[<ffffffff813a1084>] warn_slowpath_common.cold.6+0x20/0x20
kernel/panic.c:455
[<ffffffff810d400f>] warn_slowpath_fmt+0xbf/0x100 kernel/panic.c:471
[<ffffffff81b03a31>] debug_print_object+0x181/0x210 lib/debugobjects.c:260
[<ffffffff81b04ada>] debug_object_activate+0x31a/0x480
lib/debugobjects.c:418
[<ffffffff81242175>] debug_rcu_head_queue kernel/rcu/rcu.h:75 [inline]
[<ffffffff81242175>] __call_rcu.constprop.59+0x35/0x930
kernel/rcu/tree.c:3059
[<ffffffff81242a82>] call_rcu+0x12/0x20 kernel/rcu/tree_plugin.h:662
[<ffffffff82541727>] xfrm_policy_destroy+0x77/0x90
net/xfrm/xfrm_policy.c:323
[<ffffffff8254ccf9>] xfrm_pol_put include/net/xfrm.h:797 [inline]
[<ffffffff8254ccf9>] xfrm_pols_put include/net/xfrm.h:804 [inline]
[<ffffffff8254ccf9>] __xfrm_policy_check+0xce9/0x1780
net/xfrm/xfrm_policy.c:2587
[<ffffffff8247af0d>] __xfrm_policy_check2 include/net/xfrm.h:1067 [inline]
[<ffffffff8247af0d>] xfrm_policy_check include/net/xfrm.h:1076 [inline]
[<ffffffff8247af0d>] xfrm4_policy_check include/net/xfrm.h:1081 [inline]
[<ffffffff8247af0d>] udp_queue_rcv_skb+0x8cd/0x1530 net/ipv4/udp.c:1520
[<ffffffff8247cb0f>] __udp4_lib_rcv+0x4df/0x23b0 net/ipv4/udp.c:1830
[<ffffffff82480011>] udp_rcv+0x21/0x30 net/ipv4/udp.c:2043
[<ffffffff823af240>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b11fc>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b11fc>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b11fc>] ip_local_deliver+0x1ac/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b0049>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b0049>] ip_rcv_finish+0x759/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b1c79>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b1c79>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b1c79>] ip_rcv+0x899/0xfc0 net/ipv4/ip_input.c:455
[<ffffffff82227e28>] __netif_receive_skb_core+0x12c8/0x2820
net/core/dev.c:4041
[<ffffffff822304db>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
[<ffffffff8223787a>] process_backlog+0x20a/0x670 net/core/dev.c:4669
[<ffffffff82236c87>] napi_poll net/core/dev.c:4907 [inline]
[<ffffffff82236c87>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
[<ffffffff82714f9c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8271319c>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
<EOI> [<ffffffff810e1a84>] do_softirq.part.2+0x54/0x60
kernel/softirq.c:317
[<ffffffff810e1bd9>] do_softirq+0x19/0x20 kernel/softirq.c:320
[<ffffffff8222648c>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3675
[<ffffffff81e1b2ea>] tun_get_user+0xf3a/0x2690 drivers/net/tun.c:1264
[<ffffffff81e1cc55>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1283
[<ffffffff81491c33>] do_iter_readv_writev+0x133/0x1d0 fs/read_write.c:664
[<ffffffff81492f65>] do_readv_writev+0x335/0x6f0 fs/read_write.c:808
[<ffffffff8149344b>] vfs_writev+0x7b/0xb0 fs/read_write.c:847
[<ffffffff81495929>] SYSC_writev fs/read_write.c:880 [inline]
[<ffffffff81495929>] SyS_writev+0xd9/0x250 fs/read_write.c:872
[<ffffffff827120a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages