INFO: suspicious RCU usage in fib6_del
14 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:48 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1228816f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=71bd1842f954469fec45
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174fa6bd200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12eca60b200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+71bd18...@syzkaller.appspotmail.com
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor734'.
===============================
[ INFO: suspicious RCU usage. ]
4.4.174+ #4 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1465 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
4 locks held by syz-executor734/2078:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff8226e537>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>] spin_trylock_bh
include/linux/spinlock.h:367 [inline]
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>]
fib6_run_gc+0x18c/0x230 net/ipv6/ip6_fib.c:1812
#2: (rcu_read_lock){......}, at: [<ffffffff825f1ee0>]
__fib6_clean_all+0x0/0x240 net/ipv6/ip6_fib.c:1698
#3: (&tb->tb6_lock){++....}, at: [<ffffffff825f1fc8>]
__fib6_clean_all+0xe8/0x240 net/ipv6/ip6_fib.c:1712
stack backtrace:
CPU: 1 PID: 2078 Comm: syz-executor734 Not tainted 4.4.174+ #4
0000000000000000 61f24f216b50eb0c ffff8800b6e37530 ffffffff81aad1a1
ffff8800b6ccc380 0000000000000000 0000000000000001 00000000000005b9
ffff8800b7c197c0 ffff8800b6e37560 ffffffff813ab7d6 ffff8800b6e37780
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813ab7d6>] lockdep_rcu_suspicious.cold+0x10a/0x149
kernel/locking/lockdep.c:4305
[<ffffffff825f9ada>] fib6_del+0x7ea/0xae0 net/ipv6/ip6_fib.c:1465
[<ffffffff825fa06c>] fib6_clean_node+0x29c/0x500 net/ipv6/ip6_fib.c:1652
[<ffffffff825f1830>] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1578
[<ffffffff825f1d71>] fib6_walk+0x91/0xe0 net/ipv6/ip6_fib.c:1623
[<ffffffff825f1ea8>] fib6_clean_tree+0xe8/0x120 net/ipv6/ip6_fib.c:1697
[<ffffffff825f1fe0>] __fib6_clean_all+0x100/0x240 net/ipv6/ip6_fib.c:1713
[<ffffffff825fa3af>] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline]
[<ffffffff825fa3af>] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821
[<ffffffff82606780>] ndisc_netdev_event+0x2b0/0x360 net/ipv6/ndisc.c:1707
[<ffffffff81137e69>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
[<ffffffff81137ffe>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81137ffe>] raw_notifier_call_chain+0x2e/0x40
kernel/notifier.c:401
[<ffffffff822274e6>] call_netdevice_notifiers_info+0x56/0x70
net/core/dev.c:1643
[<ffffffff82228113>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
[<ffffffff82228113>] dev_close_many+0x2f3/0x6a0 net/core/dev.c:1452
[<ffffffff822349d0>] rollback_registered_many+0x3a0/0x9a0
net/core/dev.c:6350
[<ffffffff822350c2>] rollback_registered+0xf2/0x1b0 net/core/dev.c:6413
[<ffffffff8223d9ae>] unregister_netdevice_queue net/core/dev.c:7363
[inline]
[<ffffffff8223d9ae>] unregister_netdevice_queue+0x1ae/0x230
net/core/dev.c:7356
[<ffffffff81e1fdeb>] unregister_netdevice include/linux/netdevice.h:2289
[inline]
[<ffffffff81e1fdeb>] __tun_detach+0x86b/0xa50 drivers/net/tun.c:548
[<ffffffff81e20016>] tun_detach drivers/net/tun.c:557 [inline]
[<ffffffff81e20016>] tun_chr_close+0x46/0x60 drivers/net/tun.c:2263
[<ffffffff8149c8c6>] __fput+0x246/0x710 fs/file_table.c:208
[<ffffffff8149ce16>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8112f352>] task_work_run+0x202/0x2b0 kernel/task_work.c:115
[<ffffffff810d8b2a>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff810d8b2a>] do_exit+0x8ea/0x2c60 kernel/exit.c:763
[<ffffffff82719755>] ?
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1228816f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=71bd1842f954469fec45
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174fa6bd200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12eca60b200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+71bd18...@syzkaller.appspotmail.com
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor734'.
===============================
[ INFO: suspicious RCU usage. ]
4.4.174+ #4 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1465 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
4 locks held by syz-executor734/2078:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff8226e537>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>] spin_trylock_bh
include/linux/spinlock.h:367 [inline]
#1: (fib6_gc_lock){+.....}, at: [<ffffffff825fa48c>]
fib6_run_gc+0x18c/0x230 net/ipv6/ip6_fib.c:1812
#2: (rcu_read_lock){......}, at: [<ffffffff825f1ee0>]
__fib6_clean_all+0x0/0x240 net/ipv6/ip6_fib.c:1698
#3: (&tb->tb6_lock){++....}, at: [<ffffffff825f1fc8>]
__fib6_clean_all+0xe8/0x240 net/ipv6/ip6_fib.c:1712
stack backtrace:
CPU: 1 PID: 2078 Comm: syz-executor734 Not tainted 4.4.174+ #4
0000000000000000 61f24f216b50eb0c ffff8800b6e37530 ffffffff81aad1a1
ffff8800b6ccc380 0000000000000000 0000000000000001 00000000000005b9
ffff8800b7c197c0 ffff8800b6e37560 ffffffff813ab7d6 ffff8800b6e37780
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813ab7d6>] lockdep_rcu_suspicious.cold+0x10a/0x149
kernel/locking/lockdep.c:4305
[<ffffffff825f9ada>] fib6_del+0x7ea/0xae0 net/ipv6/ip6_fib.c:1465
[<ffffffff825fa06c>] fib6_clean_node+0x29c/0x500 net/ipv6/ip6_fib.c:1652
[<ffffffff825f1830>] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1578
[<ffffffff825f1d71>] fib6_walk+0x91/0xe0 net/ipv6/ip6_fib.c:1623
[<ffffffff825f1ea8>] fib6_clean_tree+0xe8/0x120 net/ipv6/ip6_fib.c:1697
[<ffffffff825f1fe0>] __fib6_clean_all+0x100/0x240 net/ipv6/ip6_fib.c:1713
[<ffffffff825fa3af>] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline]
[<ffffffff825fa3af>] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821
[<ffffffff82606780>] ndisc_netdev_event+0x2b0/0x360 net/ipv6/ndisc.c:1707
[<ffffffff81137e69>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
[<ffffffff81137ffe>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81137ffe>] raw_notifier_call_chain+0x2e/0x40
kernel/notifier.c:401
[<ffffffff822274e6>] call_netdevice_notifiers_info+0x56/0x70
net/core/dev.c:1643
[<ffffffff82228113>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
[<ffffffff82228113>] dev_close_many+0x2f3/0x6a0 net/core/dev.c:1452
[<ffffffff822349d0>] rollback_registered_many+0x3a0/0x9a0
net/core/dev.c:6350
[<ffffffff822350c2>] rollback_registered+0xf2/0x1b0 net/core/dev.c:6413
[<ffffffff8223d9ae>] unregister_netdevice_queue net/core/dev.c:7363
[inline]
[<ffffffff8223d9ae>] unregister_netdevice_queue+0x1ae/0x230
net/core/dev.c:7356
[<ffffffff81e1fdeb>] unregister_netdevice include/linux/netdevice.h:2289
[inline]
[<ffffffff81e1fdeb>] __tun_detach+0x86b/0xa50 drivers/net/tun.c:548
[<ffffffff81e20016>] tun_detach drivers/net/tun.c:557 [inline]
[<ffffffff81e20016>] tun_chr_close+0x46/0x60 drivers/net/tun.c:2263
[<ffffffff8149c8c6>] __fput+0x246/0x710 fs/file_table.c:208
[<ffffffff8149ce16>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8112f352>] task_work_run+0x202/0x2b0 kernel/task_work.c:115
[<ffffffff810d8b2a>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff810d8b2a>] do_exit+0x8ea/0x2c60 kernel/exit.c:763
[<ffffffff82719755>] ?
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 4:44:49 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1597fdfe ANDROID: arm64: lse: fix LSE atomics with LTO
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=10ecb7c7200000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3aa51a48c31c16b
dashboard link: https://syzkaller.appspot.com/bug?extid=2bf66e181d386349aae2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177c2f8d200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128bce5f200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
random: crng init done
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor580'.
===============================
[ INFO: suspicious RCU usage. ]
4.9.155+ #27 Not tainted
[ INFO: suspicious RCU usage. ]
-------------------------------
net/ipv6/ip6_fib.c:1470 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
4 locks held by syz-executor580/2072:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff82343527>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.....}, at: [<ffffffff826ef36c>]
spin_trylock_bh include/linux/spinlock.h:367 [inline]
#1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.....}, at: [<ffffffff826ef36c>]
fib6_run_gc+0x22c/0x2e0 net/ipv6/ip6_fib.c:1817
#2: (rcu_read_lock){......}, at: [<ffffffff826e69f0>]
__fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:1703
#3: (&tb->tb6_lock){++....}, at: [<ffffffff826e6ad3>]
__fib6_clean_all+0xe3/0x230 net/ipv6/ip6_fib.c:1717
stack backtrace:
CPU: 0 PID: 2072 Comm: syz-executor580 Not tainted 4.9.155+ #27
ffff8801ce2d7470 ffffffff81b47871 ffff8801ce8b0380 0000000000000000
0000000000000002 00000000000005be ffff8801d25a5f00 ffff8801ce2d74a0
ffffffff813fed99 ffff8801ce2d76c0 dffffc0000000000 00000000ffffffff
Call Trace:
[<ffffffff81b47871>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b47871>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813fed99>] lockdep_rcu_suspicious.cold+0x10a/0x149
kernel/locking/lockdep.c:4455
[<ffffffff826ee93f>] fib6_del+0x81f/0xb20 net/ipv6/ip6_fib.c:1470
[<ffffffff826eeedc>] fib6_clean_node+0x29c/0x4d0 net/ipv6/ip6_fib.c:1657
[<ffffffff826e62c0>] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1583
[<ffffffff826e687d>] fib6_walk+0x9d/0xf0 net/ipv6/ip6_fib.c:1628
[<ffffffff826e69b7>] fib6_clean_tree+0xe7/0x120 net/ipv6/ip6_fib.c:1702
[<ffffffff826e6aeb>] __fib6_clean_all+0xfb/0x230 net/ipv6/ip6_fib.c:1718
[<ffffffff826ef264>] fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
[<ffffffff826ef264>] fib6_run_gc+0x124/0x2e0 net/ipv6/ip6_fib.c:1826
[<ffffffff826fa86b>] ndisc_netdev_event+0x2ab/0x350 net/ipv6/ndisc.c:1750
[<ffffffff81146e34>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff81146fbe>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81146fbe>] raw_notifier_call_chain+0x2e/0x40
kernel/notifier.c:401
[<ffffffff822f7586>] call_netdevice_notifiers_info+0x56/0x70
net/core/dev.c:1647
[<ffffffff822f8283>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
[<ffffffff822f8283>] dev_close_many+0x2f3/0x6a0 net/core/dev.c:1456
[<ffffffff82305c20>] rollback_registered_many+0x3a0/0xb50
net/core/dev.c:6838
[<ffffffff823064c2>] rollback_registered+0xf2/0x1b0 net/core/dev.c:6901
[<ffffffff8230fd1e>] unregister_netdevice_queue net/core/dev.c:7888
[inline]
[<ffffffff8230fd1e>] unregister_netdevice_queue+0x1ae/0x230
net/core/dev.c:7881
[<ffffffff81ed5810>] unregister_netdevice include/linux/netdevice.h:2468
[inline]
[<ffffffff81ed5810>] __tun_detach+0x820/0xa00 drivers/net/tun.c:575
[<ffffffff81ed5a36>] tun_detach drivers/net/tun.c:585 [inline]
[<ffffffff81ed5a36>] tun_chr_close+0x46/0x60 drivers/net/tun.c:2392
[<ffffffff81512344>] __fput+0x274/0x720 fs/file_table.c:208
[<ffffffff81512876>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8113cf88>] task_work_run+0x108/0x180 kernel/task_work.c:116
[<ffffffff810e5bbb>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff810e5bbb>] do_exit+0x78b/0x2aa0 kernel/exit.c:841
[<ffffffff810ec2c1>] do_group_exit+0x111/0x300 kernel/exit.c:945
[<ffffffff810ec4cd>] SYSC_exit_group kernel/exit.c:956 [inline]
[<ffffffff810ec4cd>] SyS_exit_group+0x1d/0x20 kernel/exit.c:954
[<fffffff
Reply all
Reply to author
Forward
0 new messages