[syzbot] [net?] WARNING in __unix_gc
7 views
Skip to first unread message
syzbot
Feb 2, 2024, 8:26:30 AMFeb 2
to da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1701940b1a02 Merge branch 'tools-net-ynl-add-features-for-..
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15cbca88180000
kernel config: https://syzkaller.appspot.com/x/.config?x=43ed254f922f56d0
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b512ffe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d6927be80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/00090c03ed53/disk-1701940b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc03bbe45eb3/vmlinux-1701940b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8a5b859954ca/bzImage-1701940b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa3ef8...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Modules linked in:
CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
kthread+0x2c6/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1701940b1a02 Merge branch 'tools-net-ynl-add-features-for-..
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15cbca88180000
kernel config: https://syzkaller.appspot.com/x/.config?x=43ed254f922f56d0
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b512ffe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d6927be80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/00090c03ed53/disk-1701940b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc03bbe45eb3/vmlinux-1701940b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8a5b859954ca/bzImage-1701940b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa3ef8...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Modules linked in:
CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
kthread+0x2c6/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Feb 2, 2024, 7:41:36 PMFeb 2
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 02 Feb 2024 05:26:28 -0800
#syz test
--- x/net/unix/garbage.c
+++ y/net/unix/garbage.c
@@ -237,6 +237,8 @@ static void inc_inflight(struct unix_soc
usk->inflight++;
}
+static int recycle;
+
static void inc_inflight_move_tail(struct unix_sock *u)
{
u->inflight++;
@@ -245,8 +247,10 @@ static void inc_inflight_move_tail(struc
* of the list, so that it's checked even if it was already
* passed over
*/
- if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags))
+ if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags)) {
list_move_tail(&u->link, &gc_candidates);
+ recycle++;
+ }
}
static bool gc_in_progress;
@@ -259,6 +263,7 @@ static void __unix_gc(struct work_struct
struct list_head cursor;
spin_lock(&unix_gc_lock);
+ recycle = 0;
/* First, select candidates for garbage collection. Only
* in-flight sockets are considered, and from those only ones
@@ -342,7 +347,7 @@ static void __unix_gc(struct work_struct
spin_lock(&unix_gc_lock);
/* All candidates should have been detached by now. */
- WARN_ON_ONCE(!list_empty(&gc_candidates));
+ WARN_ON_ONCE(!list_empty(&gc_candidates) && !recycle);
/* Paired with READ_ONCE() in wait_for_unix_gc(). */
WRITE_ONCE(gc_in_progress, false);
--
> HEAD commit: 1701940b1a02 Merge branch 'tools-net-ynl-add-features-for-..
> git tree: net-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d6927be80000
> git tree: net-next
#syz test
--- x/net/unix/garbage.c
+++ y/net/unix/garbage.c
@@ -237,6 +237,8 @@ static void inc_inflight(struct unix_soc
usk->inflight++;
}
+static int recycle;
+
static void inc_inflight_move_tail(struct unix_sock *u)
{
u->inflight++;
@@ -245,8 +247,10 @@ static void inc_inflight_move_tail(struc
* of the list, so that it's checked even if it was already
* passed over
*/
- if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags))
+ if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags)) {
list_move_tail(&u->link, &gc_candidates);
+ recycle++;
+ }
}
static bool gc_in_progress;
@@ -259,6 +263,7 @@ static void __unix_gc(struct work_struct
struct list_head cursor;
spin_lock(&unix_gc_lock);
+ recycle = 0;
/* First, select candidates for garbage collection. Only
* in-flight sockets are considered, and from those only ones
@@ -342,7 +347,7 @@ static void __unix_gc(struct work_struct
spin_lock(&unix_gc_lock);
/* All candidates should have been detached by now. */
- WARN_ON_ONCE(!list_empty(&gc_candidates));
+ WARN_ON_ONCE(!list_empty(&gc_candidates) && !recycle);
/* Paired with READ_ONCE() in wait_for_unix_gc(). */
WRITE_ONCE(gc_in_progress, false);
--
syzbot
Feb 2, 2024, 10:17:06 PMFeb 2
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __unix_gc
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11 at net/unix/garbage.c:350 __unix_gc+0xe90/0xec0 net/unix/garbage.c:350
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g73c59d6fe109-dirty #0
Code: 8b 04 25 28 00 00 00 48 3b 84 24 20 01 00 00 75 40 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 31 9a 8b f7 90 <0f> 0b 90 eb 8e 48 8b 4c 24 08 80 e1 07 80 c1 03 38 c1 0f 8c e4 fb
RSP: 0018:ffffc90000107a80 EFLAGS: 00010293
RAX: ffffffff8a07bc2f RBX: 0000000000000000 RCX: ffff8880172ebb80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000107bf0 R08: ffffffff8a07bbb3 R09: fffff52000020f40
R10: dffffc0000000000 R11: fffff52000020f40 R12: 1ffff92000020f5e
R13: ffffc90000107ae0 R14: ffffc90000107ae0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
process_scheduled_works+0x973/0x14b0 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Tested on:
commit: 73c59d6f Merge branch 'net-sched-load-modules-via-alias'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14fdf6ffe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2ad00c8608f36a5
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1384e09fe80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __unix_gc
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11 at net/unix/garbage.c:350 __unix_gc+0xe90/0xec0 net/unix/garbage.c:350
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g73c59d6fe109-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__unix_gc+0xe90/0xec0 net/unix/garbage.c:350
Workqueue: events_unbound __unix_gc
Code: 8b 04 25 28 00 00 00 48 3b 84 24 20 01 00 00 75 40 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 31 9a 8b f7 90 <0f> 0b 90 eb 8e 48 8b 4c 24 08 80 e1 07 80 c1 03 38 c1 0f 8c e4 fb
RSP: 0018:ffffc90000107a80 EFLAGS: 00010293
RAX: ffffffff8a07bc2f RBX: 0000000000000000 RCX: ffff8880172ebb80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000107bf0 R08: ffffffff8a07bbb3 R09: fffff52000020f40
R10: dffffc0000000000 R11: fffff52000020f40 R12: 1ffff92000020f5e
R13: ffffc90000107ae0 R14: ffffc90000107ae0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f83579e65e8 CR3: 000000000df34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work kernel/workqueue.c:2633 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_scheduled_works+0x973/0x14b0 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Tested on:
commit: 73c59d6f Merge branch 'net-sched-load-modules-via-alias'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14fdf6ffe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2ad00c8608f36a5
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1384e09fe80000
Kuniyuki Iwashima
Feb 2, 2024, 11:00:39 PMFeb 2
to syzbot+fa3ef8...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
From: syzbot <syzbot+fa3ef8...@syzkaller.appspotmail.com>
Date: Fri, 02 Feb 2024 05:26:28 -0800
Ugh, I should've noticed this before sending another series.
It seems syzbot creates a self-ref cycle.
I'll look into it.
Thanks.
Date: Fri, 02 Feb 2024 05:26:28 -0800
It seems syzbot creates a self-ref cycle.
I'll look into it.
Thanks.
Reply all
Reply to author
Forward
0 new messages