suspicious RCU usage at include/linux/inetdevice.h:LINE
6 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:00:39 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fe09418d Merge 4.4.114 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1026aacd800000
kernel config: https://syzkaller.appspot.com/x/.config?x=51f4476befd65731
dashboard link: https://syzkaller.appspot.com/bug?extid=4ae52e5b786652cf0a1c
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14fd0d85800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173658c5800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4ae52e...@syzkaller.appspotmail.com
===============================
[ INFO: suspicious RCU usage. ]
4.4.114-gfe09418 #3 Not tainted
-------------------------------
include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
3 locks held by syzkaller669405/4046:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff8146f64b>]
vm_mmap_pgoff+0x13b/0x1c0 mm/util.c:271
#1: (((&im->timer))){+.-...}, at: [<ffffffff812a035c>] lockdep_copy_map
include/linux/lockdep.h:165 [inline]
#1: (((&im->timer))){+.-...}, at: [<ffffffff812a035c>]
call_timer_fn+0xdc/0x860 kernel/time/timer.c:1175
#2: (&(&im->lock)->rlock){+.-...}, at: [<ffffffff831e03c9>] spin_lock_bh
include/linux/spinlock.h:307 [inline]
#2: (&(&im->lock)->rlock){+.-...}, at: [<ffffffff831e03c9>]
igmpv3_send_report+0x39/0x3e0 net/ipv4/igmp.c:594
stack backtrace:
CPU: 1 PID: 4046 Comm: syzkaller669405 Not tainted 4.4.114-gfe09418 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 c5ab0c125d28b3e7 ffff8801db307970 ffffffff81d02e6d
ffff8801d9300000 0000000000000000 0000000000000001 ffffffff83cf6280
00000000160000e0 ffff8801db3079a0 ffffffff81232df9 ffff8801d956f000
Call Trace:
<IRQ> [<ffffffff81d02e6d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81d02e6d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81232df9>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4305
[<ffffffff831db3bc>] __in_dev_get_rcu include/linux/inetdevice.h:205
[inline]
[<ffffffff831db3bc>] igmpv3_get_srcaddr net/ipv4/igmp.c:335 [inline]
[<ffffffff831db3bc>] igmpv3_newpack+0xc3c/0xe80 net/ipv4/igmp.c:395
[<ffffffff831db835>] add_grhead.isra.30+0x235/0x300 net/ipv4/igmp.c:438
[<ffffffff831dc4fa>] add_grec+0x93a/0xe70 net/ipv4/igmp.c:560
[<ffffffff831e040f>] igmpv3_send_report+0x7f/0x3e0 net/ipv4/igmp.c:599
[<ffffffff831e114e>] igmp_send_report+0x95e/0xc30 net/ipv4/igmp.c:716
[<ffffffff831e1bad>] igmp_timer_expire+0x29d/0x3d0 net/ipv4/igmp.c:824
[<ffffffff812a040b>] call_timer_fn+0x18b/0x860 kernel/time/timer.c:1185
[<ffffffff812a2364>] __run_timers kernel/time/timer.c:1261 [inline]
[<ffffffff812a2364>] run_timer_softirq+0x604/0xbb0 kernel/time/timer.c:1444
[<ffffffff83776917>] __do_softirq+0x227/0xa38 kernel/softirq.c:273
[<ffffffff8113daf9>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113daf9>] irq_exit+0x119/0x140 kernel/softirq.c:391
[<ffffffff8377607b>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff8377607b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff83774fd0>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:737
<EOI> [<ffffffff837729ef>] ? arch_local_irq_restore
arch/x86/include/asm/paravirt.h:812 [inline]
<EOI> [<ffffffff837729ef>] ? __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:162 [inline]
<EOI> [<ffffffff837729ef>] ? _raw_spin_unlock_irqrestore+0x5f/0x70
kernel/locking/spinlock.c:191
[<ffffffff81d660a2>] __debug_check_no_obj_freed lib/debugobjects.c:710
[inline]
[<ffffffff81d660a2>] debug_check_no_obj_freed+0x2d2/0x9b0
lib/debugobjects.c:726
[<ffffffff8142d849>] free_pages_prepare+0x4a9/0xb30 mm/page_alloc.c:1049
[<ffffffff814328ac>] __free_pages_ok+0x1c/0xbd0 mm/page_alloc.c:1064
[<ffffffff814334be>] free_compound_page+0x5e/0x70 mm/page_alloc.c:504
[<ffffffff81446701>] __put_compound_page+0xa1/0xf0 mm/swap.c:89
[<ffffffff814476eb>] put_compound_page+0xdb/0xb80 mm/swap.c:249
[<ffffffff81449220>] release_pages+0x110/0x4f0 mm/swap.c:926
[<ffffffff814cfe42>] free_pages_and_swap_cache+0x102/0x140
mm/swap_state.c:266
[<ffffffff81494604>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:255
[<ffffffff814972c3>] tlb_flush_mmu mm/memory.c:264 [inline]
[<ffffffff814972c3>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:275
[<ffffffff814a89d0>] unmap_region+0x250/0x330 mm/mmap.c:2470
[<ffffffff814acc2f>] do_munmap+0x70f/0xec0 mm/mmap.c:2664
[<ffffffff814afed3>] mmap_region+0x423/0x1250 mm/mmap.c:1605
[<ffffffff814b11fd>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
[<ffffffff8146f67e>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
[<ffffffff8146f67e>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:272
[<ffffffff814af160>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
[<ffffffff814af160>] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1449
[<ffffffff8101beb6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8101beb6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff8377341f>] entry_SYSCALL_64_fastpath+0x1c/0x98
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: fe09418d Merge 4.4.114 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1026aacd800000
kernel config: https://syzkaller.appspot.com/x/.config?x=51f4476befd65731
dashboard link: https://syzkaller.appspot.com/bug?extid=4ae52e5b786652cf0a1c
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14fd0d85800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173658c5800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4ae52e...@syzkaller.appspotmail.com
===============================
[ INFO: suspicious RCU usage. ]
4.4.114-gfe09418 #3 Not tainted
-------------------------------
include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
3 locks held by syzkaller669405/4046:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff8146f64b>]
vm_mmap_pgoff+0x13b/0x1c0 mm/util.c:271
#1: (((&im->timer))){+.-...}, at: [<ffffffff812a035c>] lockdep_copy_map
include/linux/lockdep.h:165 [inline]
#1: (((&im->timer))){+.-...}, at: [<ffffffff812a035c>]
call_timer_fn+0xdc/0x860 kernel/time/timer.c:1175
#2: (&(&im->lock)->rlock){+.-...}, at: [<ffffffff831e03c9>] spin_lock_bh
include/linux/spinlock.h:307 [inline]
#2: (&(&im->lock)->rlock){+.-...}, at: [<ffffffff831e03c9>]
igmpv3_send_report+0x39/0x3e0 net/ipv4/igmp.c:594
stack backtrace:
CPU: 1 PID: 4046 Comm: syzkaller669405 Not tainted 4.4.114-gfe09418 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 c5ab0c125d28b3e7 ffff8801db307970 ffffffff81d02e6d
ffff8801d9300000 0000000000000000 0000000000000001 ffffffff83cf6280
00000000160000e0 ffff8801db3079a0 ffffffff81232df9 ffff8801d956f000
Call Trace:
<IRQ> [<ffffffff81d02e6d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81d02e6d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81232df9>] lockdep_rcu_suspicious+0x139/0x180
kernel/locking/lockdep.c:4305
[<ffffffff831db3bc>] __in_dev_get_rcu include/linux/inetdevice.h:205
[inline]
[<ffffffff831db3bc>] igmpv3_get_srcaddr net/ipv4/igmp.c:335 [inline]
[<ffffffff831db3bc>] igmpv3_newpack+0xc3c/0xe80 net/ipv4/igmp.c:395
[<ffffffff831db835>] add_grhead.isra.30+0x235/0x300 net/ipv4/igmp.c:438
[<ffffffff831dc4fa>] add_grec+0x93a/0xe70 net/ipv4/igmp.c:560
[<ffffffff831e040f>] igmpv3_send_report+0x7f/0x3e0 net/ipv4/igmp.c:599
[<ffffffff831e114e>] igmp_send_report+0x95e/0xc30 net/ipv4/igmp.c:716
[<ffffffff831e1bad>] igmp_timer_expire+0x29d/0x3d0 net/ipv4/igmp.c:824
[<ffffffff812a040b>] call_timer_fn+0x18b/0x860 kernel/time/timer.c:1185
[<ffffffff812a2364>] __run_timers kernel/time/timer.c:1261 [inline]
[<ffffffff812a2364>] run_timer_softirq+0x604/0xbb0 kernel/time/timer.c:1444
[<ffffffff83776917>] __do_softirq+0x227/0xa38 kernel/softirq.c:273
[<ffffffff8113daf9>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113daf9>] irq_exit+0x119/0x140 kernel/softirq.c:391
[<ffffffff8377607b>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff8377607b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff83774fd0>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:737
<EOI> [<ffffffff837729ef>] ? arch_local_irq_restore
arch/x86/include/asm/paravirt.h:812 [inline]
<EOI> [<ffffffff837729ef>] ? __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:162 [inline]
<EOI> [<ffffffff837729ef>] ? _raw_spin_unlock_irqrestore+0x5f/0x70
kernel/locking/spinlock.c:191
[<ffffffff81d660a2>] __debug_check_no_obj_freed lib/debugobjects.c:710
[inline]
[<ffffffff81d660a2>] debug_check_no_obj_freed+0x2d2/0x9b0
lib/debugobjects.c:726
[<ffffffff8142d849>] free_pages_prepare+0x4a9/0xb30 mm/page_alloc.c:1049
[<ffffffff814328ac>] __free_pages_ok+0x1c/0xbd0 mm/page_alloc.c:1064
[<ffffffff814334be>] free_compound_page+0x5e/0x70 mm/page_alloc.c:504
[<ffffffff81446701>] __put_compound_page+0xa1/0xf0 mm/swap.c:89
[<ffffffff814476eb>] put_compound_page+0xdb/0xb80 mm/swap.c:249
[<ffffffff81449220>] release_pages+0x110/0x4f0 mm/swap.c:926
[<ffffffff814cfe42>] free_pages_and_swap_cache+0x102/0x140
mm/swap_state.c:266
[<ffffffff81494604>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:255
[<ffffffff814972c3>] tlb_flush_mmu mm/memory.c:264 [inline]
[<ffffffff814972c3>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:275
[<ffffffff814a89d0>] unmap_region+0x250/0x330 mm/mmap.c:2470
[<ffffffff814acc2f>] do_munmap+0x70f/0xec0 mm/mmap.c:2664
[<ffffffff814afed3>] mmap_region+0x423/0x1250 mm/mmap.c:1605
[<ffffffff814b11fd>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
[<ffffffff8146f67e>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
[<ffffffff8146f67e>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:272
[<ffffffff814af160>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
[<ffffffff814af160>] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1449
[<ffffffff8101beb6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8101beb6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff8377341f>] entry_SYSCALL_64_fastpath+0x1c/0x98
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages