WARNING: ODEBUG bug in netdev_freemem
6 views
Skip to first unread message
syzbot
Apr 17, 2019, 7:08:06 AM4/17/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4b0e041c Linux 4.19.35
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=176c9c7b200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb1bcac868b1655e
dashboard link: https://syzkaller.appspot.com/bug?extid=fd425fba4411ecc3ca61
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fd425f...@syzkaller.appspotmail.com
------------[ cut here ]------------
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
ODEBUG: free active (active state 0) object type: timer_list hint:
delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4916
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
WARNING: CPU: 1 PID: 17665 at lib/debugobjects.c:325
debug_print_object+0x16a/0x250 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 17665 Comm: kworker/u4:6 Not tainted 4.19.35 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x51d kernel/panic.c:185
__warn.cold+0x20/0x54 kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:997
RIP: 0010:debug_print_object+0x16a/0x250 lib/debugobjects.c:325
Code: dd 60 ad 81 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 ad 81 87 48 c7 c7 00 a3 81 87 e8 54 61 1a fe <0f> 0b 83 05 99
bc 16 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff88805a3df838 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8155cf26 RDI: ffffed100b47bef9
RBP: ffff88805a3df878 R08: ffff888088640280 R09: fffffbfff10f2619
R10: fffffbfff10f2618 R11: ffffffff887930c3 R12: 0000000000000001
R13: ffffffff887aa540 R14: ffffffff815b3fd0 R15: ffff8880639eab60
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kfree+0xbd/0x230 mm/slab.c:3821
kvfree+0x61/0x70 mm/util.c:452
netdev_freemem+0x4c/0x60 net/core/dev.c:8883
netdev_release+0x86/0xb0 net/core/net-sysfs.c:1645
device_release+0x7d/0x210 drivers/base/core.c:891
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
netdev_run_todo+0x5cc/0x7d0 net/core/dev.c:8788
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:117
default_device_exit_batch+0x35a/0x410 net/core/dev.c:9569
ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552
process_one_work+0x98e/0x1760 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
======================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4b0e041c Linux 4.19.35
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=176c9c7b200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb1bcac868b1655e
dashboard link: https://syzkaller.appspot.com/bug?extid=fd425fba4411ecc3ca61
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fd425f...@syzkaller.appspotmail.com
------------[ cut here ]------------
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
ODEBUG: free active (active state 0) object type: timer_list hint:
delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4916
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
WARNING: CPU: 1 PID: 17665 at lib/debugobjects.c:325
debug_print_object+0x16a/0x250 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 17665 Comm: kworker/u4:6 Not tainted 4.19.35 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x51d kernel/panic.c:185
__warn.cold+0x20/0x54 kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:997
RIP: 0010:debug_print_object+0x16a/0x250 lib/debugobjects.c:325
Code: dd 60 ad 81 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 ad 81 87 48 c7 c7 00 a3 81 87 e8 54 61 1a fe <0f> 0b 83 05 99
bc 16 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff88805a3df838 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8155cf26 RDI: ffffed100b47bef9
RBP: ffff88805a3df878 R08: ffff888088640280 R09: fffffbfff10f2619
R10: fffffbfff10f2618 R11: ffffffff887930c3 R12: 0000000000000001
R13: ffffffff887aa540 R14: ffffffff815b3fd0 R15: ffff8880639eab60
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kfree+0xbd/0x230 mm/slab.c:3821
kvfree+0x61/0x70 mm/util.c:452
netdev_freemem+0x4c/0x60 net/core/dev.c:8883
netdev_release+0x86/0xb0 net/core/net-sysfs.c:1645
device_release+0x7d/0x210 drivers/base/core.c:891
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
netdev_run_todo+0x5cc/0x7d0 net/core/dev.c:8788
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:117
default_device_exit_batch+0x35a/0x410 net/core/dev.c:9569
ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552
process_one_work+0x98e/0x1760 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
======================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 5, 2019, 3:13:05 AM6/5/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: e109a984 Linux 4.19.48
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b5ec2ea00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d14dd88554f26bc
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fd425f...@syzkaller.appspotmail.com
------------[ cut here ]------------
kobject: 'veth0_to_team' (00000000dab8e779): kobject_uevent_env
kobject: 'veth0_to_team' (00000000dab8e779): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team'
kobject: 'queues' (000000002bf135bd): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
kobject: 'queues' (000000002bf135bd): kobject_uevent_env
caused the event to drop!
__warn.cold+0x20/0x4a kernel/panic.c:540
set: 'queues'
kobject: 'rx-0' (00000000483daf50): kobject_uevent_env
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1013
RIP: 0010:debug_print_object+0x168/0x250 lib/debugobjects.c:325
Code: dd e0 bb 81 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd e0 bb 81 87 48 c7 c7 80 b1 81 87 e8 26 43 1a fe <0f> 0b 83 05 ab
07 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff8880aa21f838 EFLAGS: 00010086
= '/devices/virtual/net/veth0_to_team/queues/rx-0'
RDX: 0000000000000000 RSI: ffffffff81559f16 RDI: ffffed1015443ef9
kobject: 'tx-0' (000000007db8bfdc): kobject_add_internal: parent: 'queues',
set: 'queues'
RBP: ffff8880aa21f878 R08: ffff8880aa2061c0 R09: fffffbfff10f269d
kobject: 'tx-0' (000000007db8bfdc): kobject_uevent_env
R10: fffffbfff10f269c R11: ffffffff887934e3 R12: 0000000000000001
R13: ffffffff887aa940 R14: ffffffff815b0dc0 R15: ffff888094deab20
kobject: 'tx-0' (000000007db8bfdc): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team/queues/tx-0'
kobject: 'batman_adv' (00000000e1605fec): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
kvfree+0x61/0x70 mm/util.c:452
kobject: 'team_slave_0' (00000000ecd7d496): kobject_add_internal:
parent: 'net', set: 'devices'
netdev_freemem+0x4c/0x60 net/core/dev.c:8897
kobject: 'team_slave_0' (00000000ecd7d496): kobject_uevent_env
netdev_release+0x86/0xb0 net/core/net-sysfs.c:1645
kobject: 'team_slave_0' (00000000ecd7d496): fill_kobj_path: path
= '/devices/virtual/net/team_slave_0'
device_release+0x7b/0x210 drivers/base/core.c:891
netdev_run_todo+0x53b/0x7c0 net/core/dev.c:8802
kobject: 'queues' (00000000a29d38c2): kobject_add_internal:
parent: 'team_slave_0', set: '<NULL>'
kobject: 'queues' (00000000a29d38c2): kobject_uevent_env
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:117
kobject: 'queues' (00000000a29d38c2): kobject_uevent_env: filter function
caused the event to drop!
default_device_exit_batch+0x358/0x410 net/core/dev.c:9583
kobject: 'rx-0' (0000000060f9ab6e): kobject_add_internal: parent: 'queues',
set: 'queues'
kobject: 'rx-0' (0000000060f9ab6e): kobject_uevent_env
ops_exit_list.isra.0+0xfc/0x150 net/core/net_namespace.c:156
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
kobject: 'rx-0' (0000000060f9ab6e): fill_kobj_path: path
= '/devices/virtual/net/team_slave_0/queues/rx-0'
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
HEAD commit: e109a984 Linux 4.19.48
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b5ec2ea00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d14dd88554f26bc
dashboard link: https://syzkaller.appspot.com/bug?extid=fd425fba4411ecc3ca61
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105848d4a00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fd425f...@syzkaller.appspotmail.com
------------[ cut here ]------------
kobject: 'veth0_to_team' (00000000dab8e779): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team'
ODEBUG: free active (active state 0) object type: timer_list hint:
delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4919
kobject: 'queues' (000000002bf135bd): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
kobject: 'queues' (000000002bf135bd): kobject_uevent_env
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.48 #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
kobject: 'queues' (000000002bf135bd): kobject_uevent_env: filter function
Google 01/01/2011
Workqueue: netns cleanup_net
caused the event to drop!
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x507 kernel/panic.c:185
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__warn.cold+0x20/0x4a kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
kobject: 'rx-0' (00000000483daf50): kobject_add_internal: parent: 'queues',
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
set: 'queues'
kobject: 'rx-0' (00000000483daf50): kobject_uevent_env
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1013
RIP: 0010:debug_print_object+0x168/0x250 lib/debugobjects.c:325
Code: dd e0 bb 81 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd e0 bb 81 87 48 c7 c7 80 b1 81 87 e8 26 43 1a fe <0f> 0b 83 05 ab
07 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff8880aa21f838 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
kobject: 'rx-0' (00000000483daf50): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team/queues/rx-0'
RDX: 0000000000000000 RSI: ffffffff81559f16 RDI: ffffed1015443ef9
kobject: 'tx-0' (000000007db8bfdc): kobject_add_internal: parent: 'queues',
set: 'queues'
RBP: ffff8880aa21f878 R08: ffff8880aa2061c0 R09: fffffbfff10f269d
kobject: 'tx-0' (000000007db8bfdc): kobject_uevent_env
R10: fffffbfff10f269c R11: ffffffff887934e3 R12: 0000000000000001
R13: ffffffff887aa940 R14: ffffffff815b0dc0 R15: ffff888094deab20
kobject: 'tx-0' (000000007db8bfdc): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team/queues/tx-0'
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kfree+0xbd/0x220 mm/slab.c:3821
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kobject: 'batman_adv' (00000000e1605fec): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
kvfree+0x61/0x70 mm/util.c:452
kobject: 'team_slave_0' (00000000ecd7d496): kobject_add_internal:
parent: 'net', set: 'devices'
netdev_freemem+0x4c/0x60 net/core/dev.c:8897
kobject: 'team_slave_0' (00000000ecd7d496): kobject_uevent_env
netdev_release+0x86/0xb0 net/core/net-sysfs.c:1645
kobject: 'team_slave_0' (00000000ecd7d496): fill_kobj_path: path
= '/devices/virtual/net/team_slave_0'
device_release+0x7b/0x210 drivers/base/core.c:891
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x289/0x2e6 lib/kobject.c:708
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
netdev_run_todo+0x53b/0x7c0 net/core/dev.c:8802
kobject: 'queues' (00000000a29d38c2): kobject_add_internal:
parent: 'team_slave_0', set: '<NULL>'
kobject: 'queues' (00000000a29d38c2): kobject_uevent_env
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:117
kobject: 'queues' (00000000a29d38c2): kobject_uevent_env: filter function
caused the event to drop!
default_device_exit_batch+0x358/0x410 net/core/dev.c:9583
kobject: 'rx-0' (0000000060f9ab6e): kobject_add_internal: parent: 'queues',
set: 'queues'
kobject: 'rx-0' (0000000060f9ab6e): kobject_uevent_env
ops_exit_list.isra.0+0xfc/0x150 net/core/net_namespace.c:156
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
kobject: 'rx-0' (0000000060f9ab6e): fill_kobj_path: path
= '/devices/virtual/net/team_slave_0/queues/rx-0'
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
syzbot
Aug 27, 2022, 1:00:29 AM8/27/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages