WARNING: ODEBUG bug in tcindex_destroy_work
8 views
Skip to first unread message
syzbot
Oct 21, 2019, 1:48:08 AM10/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c3038e71 Linux 4.19.80
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ff83e8e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=44c623b7e5432cee
dashboard link: https://syzkaller.appspot.com/bug?extid=47d7891a3d84eea1a9c4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47d789...@syzkaller.appspotmail.com
audit: type=1804 audit(1571633215.307:69): pid=9332 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.4"
name="/root/syzkaller-testdir179470882/syzkaller.horben/59/bus" dev="sda1"
ino=16745 res=1
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: work_struct hint:
tcindex_destroy_rexts_work+0x0/0x30 net/sched/cls_tcindex.c:142
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
audit: type=1804 audit(1571633215.307:70): pid=9332 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=ToMToU comm="syz-executor.4"
name="/root/syzkaller-testdir179470882/syzkaller.horben/59/bus" dev="sda1"
ino=16745 res=1
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x26a/0x50e kernel/panic.c:186
kobject: 'veth7' (0000000053f1120c): kobject_cleanup, parent
(null)
kobject: 'veth7' (0000000053f1120c): calling ktype release
__warn.cold+0x20/0x53 kernel/panic.c:541
kobject: 'veth7': free name
report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'veth6' (000000003c89aa0c): kobject_cleanup, parent
(null)
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
kobject: 'veth6' (000000003c89aa0c): calling ktype release
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
kobject: 'veth6': free name
RIP: 0010:debug_print_object+0x168/0x250 lib/debugobjects.c:325
Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb
f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff8880aa21fc18 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1015443f75
RBP: ffff8880aa21fc58 R08: ffff8880aa2061c0 R09: ffffed1015d23ee3
R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001
R13: ffffffff8876c960 R14: ffffffff81447db0 R15: ffff88804c0c9fa8
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kfree+0xbd/0x220 mm/slab.c:3821
tcindex_destroy_work+0x33/0x80 net/sched/cls_tcindex.c:230
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: c3038e71 Linux 4.19.80
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ff83e8e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=44c623b7e5432cee
dashboard link: https://syzkaller.appspot.com/bug?extid=47d7891a3d84eea1a9c4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47d789...@syzkaller.appspotmail.com
audit: type=1804 audit(1571633215.307:69): pid=9332 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.4"
name="/root/syzkaller-testdir179470882/syzkaller.horben/59/bus" dev="sda1"
ino=16745 res=1
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: work_struct hint:
tcindex_destroy_rexts_work+0x0/0x30 net/sched/cls_tcindex.c:142
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
audit: type=1804 audit(1571633215.307:70): pid=9332 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=ToMToU comm="syz-executor.4"
name="/root/syzkaller-testdir179470882/syzkaller.horben/59/bus" dev="sda1"
ino=16745 res=1
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x26a/0x50e kernel/panic.c:186
kobject: 'veth7' (0000000053f1120c): kobject_cleanup, parent
(null)
kobject: 'veth7' (0000000053f1120c): calling ktype release
__warn.cold+0x20/0x53 kernel/panic.c:541
kobject: 'veth7': free name
report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'veth6' (000000003c89aa0c): kobject_cleanup, parent
(null)
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
kobject: 'veth6' (000000003c89aa0c): calling ktype release
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
kobject: 'veth6': free name
RIP: 0010:debug_print_object+0x168/0x250 lib/debugobjects.c:325
Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb
f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
RSP: 0018:ffff8880aa21fc18 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1015443f75
RBP: ffff8880aa21fc58 R08: ffff8880aa2061c0 R09: ffffed1015d23ee3
R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001
R13: ffffffff8876c960 R14: ffffffff81447db0 R15: ffff88804c0c9fa8
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kfree+0xbd/0x220 mm/slab.c:3821
tcindex_destroy_work+0x33/0x80 net/sched/cls_tcindex.c:230
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 21, 2019, 2:51:07 AM10/21/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: c3038e71 Linux 4.19.80
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=166b7fcf600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104e87cf600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47d789...@syzkaller.appspotmail.com
------------[ cut here ]------------
kobject: 'veth0' (00000000fba63aeb): kobject_add_internal: parent: 'net',
set: 'devices'
= '/devices/virtual/net/veth0'
panic+0x26a/0x50e kernel/panic.c:186
kobject: 'queues' (000000009ee14878): kobject_add_internal:
parent: 'veth0', set: '<NULL>'
kobject: 'queues' (000000009ee14878): kobject_uevent_env
__warn.cold+0x20/0x53 kernel/panic.c:541
kobject: 'queues' (000000009ee14878): kobject_uevent_env: filter function
caused the event to drop!
report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'rx-0' (000000006e40b33e): kobject_add_internal: parent: 'queues',
set: 'queues'
kobject: 'rx-0' (000000006e40b33e): fill_kobj_path: path
= '/devices/virtual/net/veth0/queues/rx-0'
set: 'queues'
kobject: 'tx-0' (00000000e52113cd): fill_kobj_path: path
= '/devices/virtual/net/veth0/queues/tx-0'
parent: 'veth0', set: '<NULL>'
set: 'devices'
kobject: 'veth1' (00000000128d22f2): fill_kobj_path: path
= '/devices/virtual/net/veth1'
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
HEAD commit: c3038e71 Linux 4.19.80
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=44c623b7e5432cee
dashboard link: https://syzkaller.appspot.com/bug?extid=47d7891a3d84eea1a9c4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138316ef600000
dashboard link: https://syzkaller.appspot.com/bug?extid=47d7891a3d84eea1a9c4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104e87cf600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47d789...@syzkaller.appspotmail.com
kobject: 'veth0' (00000000fba63aeb): kobject_add_internal: parent: 'net',
set: 'devices'
ODEBUG: free active (active state 0) object type: work_struct hint:
tcindex_destroy_rexts_work+0x0/0x30 net/sched/cls_tcindex.c:142
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
kobject: 'veth0' (00000000fba63aeb): kobject_uevent_env
tcindex_destroy_rexts_work+0x0/0x30 net/sched/cls_tcindex.c:142
WARNING: CPU: 1 PID: 7 at lib/debugobjects.c:325
debug_print_object+0x168/0x250 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
kobject: 'veth0' (00000000fba63aeb): fill_kobj_path: path
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
= '/devices/virtual/net/veth0'
panic+0x26a/0x50e kernel/panic.c:186
kobject: 'queues' (000000009ee14878): kobject_add_internal:
parent: 'veth0', set: '<NULL>'
kobject: 'queues' (000000009ee14878): kobject_uevent_env
__warn.cold+0x20/0x53 kernel/panic.c:541
kobject: 'queues' (000000009ee14878): kobject_uevent_env: filter function
caused the event to drop!
report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'rx-0' (000000006e40b33e): kobject_add_internal: parent: 'queues',
set: 'queues'
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
kobject: 'rx-0' (000000006e40b33e): kobject_uevent_env
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
kobject: 'rx-0' (000000006e40b33e): fill_kobj_path: path
= '/devices/virtual/net/veth0/queues/rx-0'
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:debug_print_object+0x168/0x250 lib/debugobjects.c:325
Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb
f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
kobject: 'tx-0' (00000000e52113cd): kobject_add_internal: parent: 'queues',
Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48
8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb
f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
set: 'queues'
RSP: 0018:ffff8880aa21fc18 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1015443f75
RBP: ffff8880aa21fc58 R08: ffff8880aa2061c0 R09: ffffed1015d23ee3
kobject: 'tx-0' (00000000e52113cd): kobject_uevent_env
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1015443f75
RBP: ffff8880aa21fc58 R08: ffff8880aa2061c0 R09: ffffed1015d23ee3
R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001
R13: ffffffff8876c960 R14: ffffffff81447db0 R15: ffff888095b92fc8
kobject: 'tx-0' (00000000e52113cd): fill_kobj_path: path
= '/devices/virtual/net/veth0/queues/tx-0'
__debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
kobject: 'batman_adv' (0000000033251d6c): kobject_add_internal:
debug_check_no_obj_freed+0x29f/0x464 lib/debugobjects.c:817
parent: 'veth0', set: '<NULL>'
kfree+0xbd/0x220 mm/slab.c:3821
tcindex_destroy_work+0x33/0x80 net/sched/cls_tcindex.c:230
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
kobject: 'veth1' (00000000128d22f2): kobject_add_internal: parent: 'net',
tcindex_destroy_work+0x33/0x80 net/sched/cls_tcindex.c:230
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
set: 'devices'
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
kobject: 'veth1' (00000000128d22f2): kobject_uevent_env
kthread+0x354/0x420 kernel/kthread.c:246
kobject: 'veth1' (00000000128d22f2): fill_kobj_path: path
= '/devices/virtual/net/veth1'
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
======================================================
Reply all
Reply to author
Forward
0 new messages