possible deadlock in hci_dev_do_close
7 views
Skip to first unread message
syzbot
Aug 27, 2020, 11:13:22 AM8/27/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=129b5cda900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=e73e6633d2b34f0bcffe
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e73e66...@syzkaller.appspotmail.com
audit: type=1804 audit(1598541143.093:69): pid=20644 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op="invalid_pcr" cause="ToMToU" comm="syz-executor.2" name="/root/syzkaller-testdir394393479/syzkaller.h8UmDY/110/bus" dev="sda1" ino=16154 res=1
======================================================
WARNING: possible circular locking dependency detected
4.14.195-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/15309 is trying to acquire lock:
("%s"hdev->name#2){+.+.}, at: [<ffffffff813bd427>] start_flush_work kernel/workqueue.c:2860 [inline]
("%s"hdev->name#2){+.+.}, at: [<ffffffff813bd427>] flush_work+0x387/0x770 kernel/workqueue.c:2892
but task is already holding lock:
(&hdev->lock){+.+.}, at: [<ffffffff85af8650>] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&hdev->lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hci_cc_write_scan_enable net/bluetooth/hci_event.c:360 [inline]
hci_cmd_complete_evt+0x4f1a/0x9590 net/bluetooth/hci_event.c:2839
hci_event_packet+0x1a5d/0x7d1d net/bluetooth/hci_event.c:5321
hci_rx_work+0x3e6/0x970 net/bluetooth/hci_core.c:4244
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
-> #1 ((&hdev->rx_work)){+.+.}:
process_one_work+0x736/0x14a0 kernel/workqueue.c:2092
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
-> #0 ("%s"hdev->name#2){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
start_flush_work kernel/workqueue.c:2861 [inline]
flush_work+0x3ac/0x770 kernel/workqueue.c:2892
__cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575
hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377
hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620
hci_unregister_dev+0x170/0x7a0 net/bluetooth/hci_core.c:3191
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa08/0x27f0 kernel/exit.c:865
do_group_exit+0x100/0x2e0 kernel/exit.c:962
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Chain exists of:
"%s"hdev->name#2 --> (&hdev->rx_work) --> &hdev->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hdev->lock);
lock((&hdev->rx_work));
lock(&hdev->lock);
lock("%s"hdev->name#2);
*** DEADLOCK ***
2 locks held by syz-executor.4/15309:
#0: (&hdev->req_lock){+.+.}, at: [<ffffffff85af853d>] hci_dev_do_close+0xfd/0xc50 net/bluetooth/hci_core.c:1576
#1: (&hdev->lock){+.+.}, at: [<ffffffff85af8650>] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607
stack backtrace:
CPU: 1 PID: 15309 Comm: syz-executor.4 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
start_flush_work kernel/workqueue.c:2861 [inline]
flush_work+0x3ac/0x770 kernel/workqueue.c:2892
__cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575
hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377
hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620
hci_unregister_dev+0x170/0x7a0 net/bluetooth/hci_core.c:3191
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa08/0x27f0 kernel/exit.c:865
do_group_exit+0x100/0x2e0 kernel/exit.c:962
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007fcb36459cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000118cfe8 RCX: 000000000045d5b9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118cfe8
RBP: 000000000118cfe0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
R13: 00007ffe6424d8cf R14: 00007fcb3645a9c0 R15: 000000000118cfec
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
device bond20 entered promiscuous mode
nla_parse: 6 callbacks suppressed
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
rxrpc: AF_RXRPC: Leaked local ffff88808b8984c0 {1}
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
------------[ cut here ]------------
kernel BUG at net/rxrpc/local_object.c:408!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 22 Comm: kworker/u4:1 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
task: ffff8880a9a5a5c0 task.stack: ffff8880a9a60000
RIP: 0010:rxrpc_destroy_all_locals+0xe6/0xf2 net/rxrpc/local_object.c:408
RSP: 0018:ffff8880a9a67c28 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffff88809f0a18c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffff88809f0a18e0 R08: ffff8880aeb2beb0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809f0a18e0
R13: ffff88809f0a18f0 R14: dffffc0000000000 R15: fffffbfff10fe50f
FS: 0000000000000000(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000000829f3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rxrpc_exit_net+0x158/0x260 net/rxrpc/net_ns.c:78
device bond20 entered promiscuous mode
ops_exit_list+0xa5/0x150 net/core/net_namespace.c:142
cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 00 00 00 00 00 fc ff df 48 83 eb 20 e8 84 ee 8b fb 4c 8d 63 20 4c 39 e5 0f 85 52 00 00 00 e8 72 ee 8b fb 4c 89 ef e8 ea 1f 84 00 <0f> 0b 48 89 ef e8 d0 b9 b5 fb eb c0 e8 59 ee 8b fb 48 c7 c7 60
RIP: rxrpc_destroy_all_locals+0xe6/0xf2 net/rxrpc/local_object.c:408 RSP: ffff8880a9a67c28
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
---[ end trace 95bd237bfe4e270a ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=129b5cda900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=e73e6633d2b34f0bcffe
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e73e66...@syzkaller.appspotmail.com
audit: type=1804 audit(1598541143.093:69): pid=20644 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op="invalid_pcr" cause="ToMToU" comm="syz-executor.2" name="/root/syzkaller-testdir394393479/syzkaller.h8UmDY/110/bus" dev="sda1" ino=16154 res=1
======================================================
WARNING: possible circular locking dependency detected
4.14.195-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/15309 is trying to acquire lock:
("%s"hdev->name#2){+.+.}, at: [<ffffffff813bd427>] start_flush_work kernel/workqueue.c:2860 [inline]
("%s"hdev->name#2){+.+.}, at: [<ffffffff813bd427>] flush_work+0x387/0x770 kernel/workqueue.c:2892
but task is already holding lock:
(&hdev->lock){+.+.}, at: [<ffffffff85af8650>] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&hdev->lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hci_cc_write_scan_enable net/bluetooth/hci_event.c:360 [inline]
hci_cmd_complete_evt+0x4f1a/0x9590 net/bluetooth/hci_event.c:2839
hci_event_packet+0x1a5d/0x7d1d net/bluetooth/hci_event.c:5321
hci_rx_work+0x3e6/0x970 net/bluetooth/hci_core.c:4244
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
-> #1 ((&hdev->rx_work)){+.+.}:
process_one_work+0x736/0x14a0 kernel/workqueue.c:2092
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
-> #0 ("%s"hdev->name#2){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
start_flush_work kernel/workqueue.c:2861 [inline]
flush_work+0x3ac/0x770 kernel/workqueue.c:2892
__cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575
hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377
hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620
hci_unregister_dev+0x170/0x7a0 net/bluetooth/hci_core.c:3191
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa08/0x27f0 kernel/exit.c:865
do_group_exit+0x100/0x2e0 kernel/exit.c:962
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Chain exists of:
"%s"hdev->name#2 --> (&hdev->rx_work) --> &hdev->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hdev->lock);
lock((&hdev->rx_work));
lock(&hdev->lock);
lock("%s"hdev->name#2);
*** DEADLOCK ***
2 locks held by syz-executor.4/15309:
#0: (&hdev->req_lock){+.+.}, at: [<ffffffff85af853d>] hci_dev_do_close+0xfd/0xc50 net/bluetooth/hci_core.c:1576
#1: (&hdev->lock){+.+.}, at: [<ffffffff85af8650>] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607
stack backtrace:
CPU: 1 PID: 15309 Comm: syz-executor.4 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
start_flush_work kernel/workqueue.c:2861 [inline]
flush_work+0x3ac/0x770 kernel/workqueue.c:2892
__cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575
hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377
hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620
hci_unregister_dev+0x170/0x7a0 net/bluetooth/hci_core.c:3191
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa08/0x27f0 kernel/exit.c:865
do_group_exit+0x100/0x2e0 kernel/exit.c:962
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007fcb36459cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000118cfe8 RCX: 000000000045d5b9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118cfe8
RBP: 000000000118cfe0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
R13: 00007ffe6424d8cf R14: 00007fcb3645a9c0 R15: 000000000118cfec
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
device bond20 entered promiscuous mode
nla_parse: 6 callbacks suppressed
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
device bond20 entered promiscuous mode
bond20 (unregistering): Released all slaves
rxrpc: AF_RXRPC: Leaked local ffff88808b8984c0 {1}
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
------------[ cut here ]------------
kernel BUG at net/rxrpc/local_object.c:408!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 22 Comm: kworker/u4:1 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
task: ffff8880a9a5a5c0 task.stack: ffff8880a9a60000
RIP: 0010:rxrpc_destroy_all_locals+0xe6/0xf2 net/rxrpc/local_object.c:408
RSP: 0018:ffff8880a9a67c28 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffff88809f0a18c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffff88809f0a18e0 R08: ffff8880aeb2beb0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809f0a18e0
R13: ffff88809f0a18f0 R14: dffffc0000000000 R15: fffffbfff10fe50f
FS: 0000000000000000(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000000829f3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rxrpc_exit_net+0x158/0x260 net/rxrpc/net_ns.c:78
device bond20 entered promiscuous mode
ops_exit_list+0xa5/0x150 net/core/net_namespace.c:142
cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 00 00 00 00 00 fc ff df 48 83 eb 20 e8 84 ee 8b fb 4c 8d 63 20 4c 39 e5 0f 85 52 00 00 00 e8 72 ee 8b fb 4c 89 ef e8 ea 1f 84 00 <0f> 0b 48 89 ef e8 d0 b9 b5 fb eb c0 e8 59 ee 8b fb 48 c7 c7 60
RIP: rxrpc_destroy_all_locals+0xe6/0xf2 net/rxrpc/local_object.c:408 RSP: ffff8880a9a67c28
bond20 (unregistering): Released all slaves
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
---[ end trace 95bd237bfe4e270a ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 21, 2021, 4:03:17 AM8/21/21
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages