Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output:
https://syzkaller.appspot.com/x/log.txt?x=1228816f200000
kernel config:
https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link:
https://syzkaller.appspot.com/bug?extid=71bd1842f954469fec45
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=174fa6bd200000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=12eca60b200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+71bd18...@syzkaller.appspotmail.com
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor734'.
===============================
[ INFO: suspicious RCU usage. ]
4.4.174+ #4 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1465 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
4 locks held by syz-executor734/2078:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff8226e537>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>] spin_trylock_bh
include/linux/spinlock.h:367 [inline]
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>]
fib6_run_gc+0x18c/0x230 net/ipv6/ip6_fib.c:1812
#2: (rcu_read_lock){......}, at: [<ffffffff825f1ee0>]
__fib6_clean_all+0x0/0x240 net/ipv6/ip6_fib.c:1698
#3: (&tb->tb6_lock){++....}, at: [<ffffffff825f1fc8>]
__fib6_clean_all+0xe8/0x240 net/ipv6/ip6_fib.c:1712
stack backtrace:
CPU: 1 PID: 2078 Comm: syz-executor734 Not tainted 4.4.174+ #4
0000000000000000 61f24f216b50eb0c ffff8800b6e37530 ffffffff81aad1a1
ffff8800b6ccc380 0000000000000000 0000000000000001 00000000000005b9
ffff8800b7c197c0 ffff8800b6e37560 ffffffff813ab7d6 ffff8800b6e37780
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813ab7d6>] lockdep_rcu_suspicious.cold+0x10a/0x149
kernel/locking/lockdep.c:4305
[<ffffffff825f9ada>] fib6_del+0x7ea/0xae0 net/ipv6/ip6_fib.c:1465
[<ffffffff825fa06c>] fib6_clean_node+0x29c/0x500 net/ipv6/ip6_fib.c:1652
[<ffffffff825f1830>] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1578
[<ffffffff825f1d71>] fib6_walk+0x91/0xe0 net/ipv6/ip6_fib.c:1623
[<ffffffff825f1ea8>] fib6_clean_tree+0xe8/0x120 net/ipv6/ip6_fib.c:1697
[<ffffffff825f1fe0>] __fib6_clean_all+0x100/0x240 net/ipv6/ip6_fib.c:1713
[<ffffffff825fa3af>] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline]
[<ffffffff825fa3af>] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821
[<ffffffff82606780>] ndisc_netdev_event+0x2b0/0x360 net/ipv6/ndisc.c:1707
[<ffffffff81137e69>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
[<ffffffff81137ffe>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81137ffe>] raw_notifier_call_chain+0x2e/0x40
kernel/notifier.c:401
[<ffffffff822274e6>] call_netdevice_notifiers_info+0x56/0x70
net/core/dev.c:1643
[<ffffffff82228113>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
[<ffffffff82228113>] dev_close_many+0x2f3/0x6a0 net/core/dev.c:1452
[<ffffffff822349d0>] rollback_registered_many+0x3a0/0x9a0
net/core/dev.c:6350
[<ffffffff822350c2>] rollback_registered+0xf2/0x1b0 net/core/dev.c:6413
[<ffffffff8223d9ae>] unregister_netdevice_queue net/core/dev.c:7363
[inline]
[<ffffffff8223d9ae>] unregister_netdevice_queue+0x1ae/0x230
net/core/dev.c:7356
[<ffffffff81e1fdeb>] unregister_netdevice include/linux/netdevice.h:2289
[inline]
[<ffffffff81e1fdeb>] __tun_detach+0x86b/0xa50 drivers/net/tun.c:548
[<ffffffff81e20016>] tun_detach drivers/net/tun.c:557 [inline]
[<ffffffff81e20016>] tun_chr_close+0x46/0x60 drivers/net/tun.c:2263
[<ffffffff8149c8c6>] __fput+0x246/0x710 fs/file_table.c:208
[<ffffffff8149ce16>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8112f352>] task_work_run+0x202/0x2b0 kernel/task_work.c:115
[<ffffffff810d8b2a>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff810d8b2a>] do_exit+0x8ea/0x2c60 kernel/exit.c:763
[<ffffffff82719755>] ?
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches