WARNING in kernfs_add_one

43 views
Skip to first unread message

syzbot

unread,
May 5, 2018, 11:47:03 AM5/5/18
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,

syzbot found the following crash on:

HEAD commit: 8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14b27237800000
kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
dashboard link: https://syzkaller.appspot.com/bug?extid=df47f81c226b31d89fb1
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172fb3e7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16552e57800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+df47f8...@syzkaller.appspotmail.com

RBP: 00007fff808f3e10 R08: 0000000000000002 R09: 00007fff80003534
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
------------[ cut here ]------------
kernfs: ns required in 'ieee80211' for 'phy3'
WARNING: CPU: 0 PID: 4538 at fs/kernfs/dir.c:759 kernfs_add_one+0x406/0x4d0
fs/kernfs/dir.c:758
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4538 Comm: syz-executor486 Not tainted 4.17.0-rc3+ #33
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
panic+0x22f/0x4de kernel/panic.c:184
__warn.cold.8+0x163/0x1b3 kernel/panic.c:536
report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:kernfs_add_one+0x406/0x4d0 fs/kernfs/dir.c:758
RSP: 0018:ffff8801ca9eece0 EFLAGS: 00010286
RAX: 000000000000002d RBX: ffffffff87d5cee0 RCX: ffffffff8160ba7d
RDX: 0000000000000000 RSI: ffffffff81610731 RDI: ffff8801ca9ee840
RBP: ffff8801ca9eed20 R08: ffff8801d9538500 R09: 0000000000000006
R10: ffff8801d9538500 R11: 0000000000000000 R12: ffff8801ad1cb6c0
R13: ffffffff885da640 R14: 0000000000000020 R15: 0000000000000000
kernfs_create_link+0x112/0x180 fs/kernfs/symlink.c:41
sysfs_do_create_link_sd.isra.2+0x90/0x130 fs/sysfs/symlink.c:43
sysfs_do_create_link fs/sysfs/symlink.c:79 [inline]
sysfs_create_link+0x65/0xc0 fs/sysfs/symlink.c:91
device_add_class_symlinks drivers/base/core.c:1612 [inline]
device_add+0x7a0/0x16d0 drivers/base/core.c:1810
wiphy_register+0x178a/0x2430 net/wireless/core.c:806
ieee80211_register_hw+0x13cd/0x35d0 net/mac80211/main.c:1047
mac80211_hwsim_new_radio+0x1d9b/0x3410
drivers/net/wireless/mac80211_hwsim.c:2772
hwsim_new_radio_nl+0x7a7/0xa60 drivers/net/wireless/mac80211_hwsim.c:3246
genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:639
___sys_sendmsg+0x805/0x940 net/socket.c:2117
__sys_sendmsg+0x115/0x270 net/socket.c:2155
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4404c9
RSP: 002b:00007fff808f3e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004404c9
RDX: 0000000000000000 RSI: 0000000020b3dfc8 RDI: 0000000000000005
RBP: 00007fff808f3e10 R08: 0000000000000002 R09: 00007fff80003534
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

Greg KH

unread,
May 5, 2018, 12:40:53 PM5/5/18
to net...@vger.kernel.org, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
On Sat, May 05, 2018 at 08:47:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b27237800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
> dashboard link: https://syzkaller.appspot.com/bug?extid=df47f81c226b31d89fb1
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172fb3e7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16552e57800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+df47f8...@syzkaller.appspotmail.com
>
> RBP: 00007fff808f3e10 R08: 0000000000000002 R09: 00007fff80003534
> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
> ------------[ cut here ]------------
> kernfs: ns required in 'ieee80211' for 'phy3'

That's interesting, this looks like a netfilter bug (adding netdev to
the report here.)

Yes, we can "tone down" the kernfs warning to just be an error message
in the log, but there might be something worse going on here.

Network developers, any idea? Rest of the callback chain is here:
Any ideas?

thanks,

greg k-h

Eric Dumazet

unread,
May 5, 2018, 1:43:48 PM5/5/18
to Greg KH, net...@vger.kernel.org, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org


On 05/05/2018 09:40 AM, Greg KH wrote:
> On Sat, May 05, 2018 at 08:47:02AM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
>> git tree: net-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14b27237800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
>> dashboard link: https://syzkaller.appspot.com/bug?extid=df47f81c226b31d89fb1
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172fb3e7800000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16552e57800000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+df47f8...@syzkaller.appspotmail.com
>>
>> RBP: 00007fff808f3e10 R08: 0000000000000002 R09: 00007fff80003534
>> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
>> R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
>> ------------[ cut here ]------------
>> kernfs: ns required in 'ieee80211' for 'phy3'
>
> That's interesting, this looks like a netfilter bug (adding netdev to
> the report here.)


I do not see anything netfilter related here.

More likely wireless territory

Greg KH

unread,
May 5, 2018, 6:07:36 PM5/5/18
to linux-w...@vger.kernel.org, Eric Dumazet, net...@vger.kernel.org, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
On Sat, May 05, 2018 at 10:43:45AM -0700, Eric Dumazet wrote:
>
>
> On 05/05/2018 09:40 AM, Greg KH wrote:
> > On Sat, May 05, 2018 at 08:47:02AM -0700, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit: 8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
> >> git tree: net-next
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=14b27237800000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=df47f81c226b31d89fb1
> >> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172fb3e7800000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16552e57800000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+df47f8...@syzkaller.appspotmail.com
> >>
> >> RBP: 00007fff808f3e10 R08: 0000000000000002 R09: 00007fff80003534
> >> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> >> R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
> >> ------------[ cut here ]------------
> >> kernfs: ns required in 'ieee80211' for 'phy3'
> >
> > That's interesting, this looks like a netfilter bug (adding netdev to
> > the report here.)
>
>
> I do not see anything netfilter related here.
>
> More likely wireless territory

Ugh, that's what I get for writing emails before coffee in the
morning...

Yes, you are right, this looks like a wireless issue.

Now cc: linux-wireless.

Johannes Berg

unread,
May 7, 2018, 4:43:12 AM5/7/18
to Greg KH, linux-w...@vger.kernel.org, Eric Dumazet, net...@vger.kernel.org, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
On Sat, 2018-05-05 at 15:07 -0700, Greg KH wrote:

> > > > syzbot found the following crash on:

Maybe it should learn to differentiate warnings, if it's going to set
panic_on_warn :-)

I get why, but still, at least differentiating in the emails wouldn't be
bad.

> > > > kernfs: ns required in 'ieee80211' for 'phy3'

Huh. What does that even mean?

> > > > RIP: 0010:kernfs_add_one+0x406/0x4d0 fs/kernfs/dir.c:758
> > > > RSP: 0018:ffff8801ca9eece0 EFLAGS: 00010286
> > > > RAX: 000000000000002d RBX: ffffffff87d5cee0 RCX: ffffffff8160ba7d
> > > > RDX: 0000000000000000 RSI: ffffffff81610731 RDI: ffff8801ca9ee840
> > > > RBP: ffff8801ca9eed20 R08: ffff8801d9538500 R09: 0000000000000006
> > > > R10: ffff8801d9538500 R11: 0000000000000000 R12: ffff8801ad1cb6c0
> > > > R13: ffffffff885da640 R14: 0000000000000020 R15: 0000000000000000
> > > > kernfs_create_link+0x112/0x180 fs/kernfs/symlink.c:41
> > > > sysfs_do_create_link_sd.isra.2+0x90/0x130 fs/sysfs/symlink.c:43
> > > > sysfs_do_create_link fs/sysfs/symlink.c:79 [inline]
> > > > sysfs_create_link+0x65/0xc0 fs/sysfs/symlink.c:91
> > > > device_add_class_symlinks drivers/base/core.c:1612 [inline]
> > > > device_add+0x7a0/0x16d0 drivers/base/core.c:1810
> > > > wiphy_register+0x178a/0x2430 net/wireless/core.c:806
> > > > ieee80211_register_hw+0x13cd/0x35d0 net/mac80211/main.c:1047
> > > > mac80211_hwsim_new_radio+0x1d9b/0x3410
> > > > drivers/net/wireless/mac80211_hwsim.c:2772
> > > > hwsim_new_radio_nl+0x7a7/0xa60 drivers/net/wireless/mac80211_hwsim.c:3246
> > > > genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599

Basically we're creating a new virtual radio, which in turn creates a
new device, which we have to register.

Something is going on with the context here that makes sysfs unhappy,
but TBH I have no idea what.

johannes

Dmitry Vyukov

unread,
May 7, 2018, 5:33:55 AM5/7/18
to Johannes Berg, Greg KH, linux-w...@vger.kernel.org, Eric Dumazet, netdev, syzbot, LKML, syzkaller-bugs, Tejun Heo
On Mon, May 7, 2018 at 10:43 AM, Johannes Berg
<joha...@sipsolutions.net> wrote:
> On Sat, 2018-05-05 at 15:07 -0700, Greg KH wrote:
>
>> > > > syzbot found the following crash on:
>
> Maybe it should learn to differentiate warnings, if it's going to set
> panic_on_warn :-)

How?
Note that this is not specific to syzbot. If you see WARNINGs in a
subsystem that you have no idea about (or you just a normal user),
what do you do? Right, you report it to maintainers.


> I get why, but still, at least differentiating in the emails wouldn't be
> bad.

Well, the subject says "WARNING".
But note there are _very_ bad WARNINGs too. Generally, a WARNING means
a kernel bug just that kernel can tolerate without bringing the system
down (as opposed to BUG).
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1525682589.6049.4.camel%40sipsolutions.net.
> For more options, visit https://groups.google.com/d/optout.

Johannes Berg

unread,
May 7, 2018, 5:53:17 AM5/7/18
to Dmitry Vyukov, Greg KH, linux-w...@vger.kernel.org, Eric Dumazet, netdev, syzbot, LKML, syzkaller-bugs, Tejun Heo
On Mon, 2018-05-07 at 11:33 +0200, Dmitry Vyukov wrote:
> On Mon, May 7, 2018 at 10:43 AM, Johannes Berg
> <joha...@sipsolutions.net> wrote:
> > On Sat, 2018-05-05 at 15:07 -0700, Greg KH wrote:
> >
> > > > > > syzbot found the following crash on:
> >
> > Maybe it should learn to differentiate warnings, if it's going to set
> > panic_on_warn :-)
>
> How?
> Note that this is not specific to syzbot. If you see WARNINGs in a
> subsystem that you have no idea about (or you just a normal user),
> what do you do? Right, you report it to maintainers.

Yeah, no problem with that. Just some people seem to get so much more
upset about crashes ... but then again I get bug reports about WARN_ON
all the time anyway that say "my kernel crashed" so I guess it doesn't
really matter :-)

> > I get why, but still, at least differentiating in the emails wouldn't be
> > bad.
>
> Well, the subject says "WARNING".
> But note there are _very_ bad WARNINGs too. Generally, a WARNING means
> a kernel bug just that kernel can tolerate without bringing the system
> down (as opposed to BUG).

Yeah, fair point. I sort of missed the subject I guess.

johannes

Tetsuo Handa

unread,
May 7, 2018, 6:10:44 AM5/7/18
to Greg KH, Eric Dumazet, syzbot, linux-w...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org, Johannes Berg
On 2018/05/06 7:07, Greg KH wrote:
>> More likely wireless territory
>
> Ugh, that's what I get for writing emails before coffee in the
> morning...
>
> Yes, you are right, this looks like a wireless issue.
>
> Now cc: linux-wireless.
>
Nope, if you look at previous fault injection messages...



From 7ddcaa3d4327d4f29d11053bd2011bf77ecf72af Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Date: Mon, 7 May 2018 14:19:50 +0900
Subject: [PATCH] driver core: Don't ignore class_dir_create_and_add() failure.

syzbot is hitting WARN() at kernfs_add_one() [1].
This is because kernfs_create_link() is confused by previous device_add()
call which continued without setting dev->kobj.parent field when
get_device_parent() failed by memory allocation fault injection.
Fix this by propagating the error from class_dir_create_and_add() to
the calllers of get_device_parent().

[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f

Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+df47f8...@syzkaller.appspotmail.com>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/base/core.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index b610816..d680fd0 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1467,7 +1467,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)

dir = kzalloc(sizeof(*dir), GFP_KERNEL);
if (!dir)
- return NULL;
+ return ERR_PTR(-ENOMEM);

dir->class = class;
kobject_init(&dir->kobj, &class_dir_ktype);
@@ -1477,7 +1477,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
if (retval < 0) {
kobject_put(&dir->kobj);
- return NULL;
+ return ERR_PTR(retval);
}
return &dir->kobj;
}
@@ -1784,6 +1784,10 @@ int device_add(struct device *dev)

parent = get_device(dev->parent);
kobj = get_device_parent(dev, parent);
+ if (IS_ERR(kobj)) {
+ error = PTR_ERR(kobj);
+ goto parent_error;
+ }
if (kobj)
dev->kobj.parent = kobj;

@@ -1882,6 +1886,7 @@ int device_add(struct device *dev)
kobject_del(&dev->kobj);
Error:
cleanup_glue_dir(dev, glue_dir);
+parent_error:
put_device(parent);
name_error:
kfree(dev->p);
@@ -2701,6 +2706,11 @@ int device_move(struct device *dev, struct device *new_parent,
device_pm_lock();
new_parent = get_device(new_parent);
new_parent_kobj = get_device_parent(dev, new_parent);
+ if (IS_ERR(new_parent_kobj)) {
+ error = PTR_ERR(new_parent_kobj);
+ put_device(new_parent);
+ goto out;
+ }

pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
__func__, new_parent ? dev_name(new_parent) : "<NULL>");
--
1.8.3.1

Tetsuo Handa

unread,
May 14, 2018, 10:50:17 AM5/14/18
to syzbot, syzkall...@googlegroups.com
OK. Patch is in driver-core.git#driver-core-testing as commit 84d0c27d6233a9ba.

#syz fix: driver core: Don't ignore class_dir_create_and_add() failure.

Reply all
Reply to author
Forward
0 new messages