BUG: unable to handle kernel NULL pointer dereference in rhashtable_free_and_destroy
45 views
Skip to first unread message
syzbot
Oct 21, 2020, 1:32:17 AM10/21/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b98ea0500000
kernel config: https://syzkaller.appspot.com/x/.config?x=19e1d59b1459bb9a
dashboard link: https://syzkaller.appspot.com/bug?extid=f3bd705c8213cd31abf6
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3bd70...@syzkaller.appspotmail.com
RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007f7197b66ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 00007fff88d5628f R14: 00007f7197b679c0 R15: 000000000118bf2c
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
PGD 8c171067 P4D 8c171067 PUD 8c172067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6178 Comm: kworker/0:3 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0xa6/0x5c0 kernel/workqueue.c:2974
rhashtable_free_and_destroy+0x2b/0xa50 lib/rhashtable.c:1145
mesh_table_free net/mac80211/mesh_pathtbl.c:72 [inline]
mesh_pathtbl_unregister+0x42/0x9a net/mac80211/mesh_pathtbl.c:827
ieee80211_teardown_sdata+0x216/0x2d0 net/mac80211/iface.c:1126
rollback_registered_many+0x97d/0xf00 net/core/dev.c:8202
rollback_registered+0xe9/0x1b0 net/core/dev.c:8230
unregister_netdevice_queue+0x1de/0x400 net/core/dev.c:9292
unregister_netdevice include/linux/netdevice.h:2614 [inline]
ieee80211_if_remove+0x213/0x330 net/mac80211/iface.c:1919
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0x1f4/0x7c0 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x796/0x14e0 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
CR2: 0000000000000080
---[ end trace d008542704297176 ]---
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b98ea0500000
kernel config: https://syzkaller.appspot.com/x/.config?x=19e1d59b1459bb9a
dashboard link: https://syzkaller.appspot.com/bug?extid=f3bd705c8213cd31abf6
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3bd70...@syzkaller.appspotmail.com
RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007f7197b66ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 00007fff88d5628f R14: 00007f7197b679c0 R15: 000000000118bf2c
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
PGD 8c171067 P4D 8c171067 PUD 8c172067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6178 Comm: kworker/0:3 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0xa6/0x5c0 kernel/workqueue.c:2974
rhashtable_free_and_destroy+0x2b/0xa50 lib/rhashtable.c:1145
mesh_table_free net/mac80211/mesh_pathtbl.c:72 [inline]
mesh_pathtbl_unregister+0x42/0x9a net/mac80211/mesh_pathtbl.c:827
ieee80211_teardown_sdata+0x216/0x2d0 net/mac80211/iface.c:1126
rollback_registered_many+0x97d/0xf00 net/core/dev.c:8202
rollback_registered+0xe9/0x1b0 net/core/dev.c:8230
unregister_netdevice_queue+0x1de/0x400 net/core/dev.c:9292
unregister_netdevice include/linux/netdevice.h:2614 [inline]
ieee80211_if_remove+0x213/0x330 net/mac80211/iface.c:1919
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0x1f4/0x7c0 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x796/0x14e0 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
CR2: 0000000000000080
---[ end trace d008542704297176 ]---
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 22, 2020, 4:03:19 AM10/22/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
syzbot found the following issue on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=103492b4500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=1d2f03fe5a7eb2aa966c
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d2f03...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
RAX: ffffffffffffffda RBX: 000000000002b9c0 RCX: 000000000045de59
RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007face0e61ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 00007ffdcb0885ef R14: 00007face0e629c0 R15: 000000000118bf2c
BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
IP: test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline]
IP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
PGD 8d413067 P4D 8d413067 PUD 8d414067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8665 Comm: kworker/0:3 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
task: ffff88809930e2c0 task.stack: ffff88805e2d0000
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline]
RIP: 0010:try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
RSP: 0018:ffff88805e2d7960 EFLAGS: 00010097
RAX: ffff88809930e2c0 RBX: 0000000000000088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88809930eb0c
RBP: ffff88805e2d79d0 R08: ffffffff8ae0a060 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000297 R14: dffffc0000000011 R15: ffff88809930e2c0
FS: 0000000000000000(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000088 CR3: 000000008d412000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0x90/0x460 kernel/workqueue.c:2923
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rhashtable_free_and_destroy+0x26/0x710 lib/rhashtable.c:1073
mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
mesh_pathtbl_unregister+0x42/0xa0 net/mac80211/mesh_pathtbl.c:906
ieee80211_teardown_sdata+0x1e2/0x290 net/mac80211/iface.c:1142
rollback_registered_many+0x83f/0xba0 net/core/dev.c:7217
rollback_registered+0xca/0x170 net/core/dev.c:7245
unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8266
unregister_netdevice include/linux/netdevice.h:2442 [inline]
ieee80211_if_remove+0x1fc/0x2b0 net/mac80211/iface.c:1933
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:143
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0xee/0x690 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 4b 04 00 00 4c 89 6d 00 e8 db 1b 0b 00 45 84 e4 0f 85 71 01 00 00 e8 dd 3e 20 00 <f0> 48 0f ba 2b 00 72 1a 45 31 e4 e8 cd 3e 20 00 44 89 e0 48 83
RIP: test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline] RSP: ffff88805e2d7960
RIP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230 RSP: ffff88805e2d7960
CR2: 0000000000000088
---[ end trace 1eb8e675eb92e362 ]---
syzbot
Oct 22, 2020, 4:18:19 AM10/22/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14d63778500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12df3d44500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d2f03...@syzkaller.appspotmail.com
RBP: 00007ffd3f94cdf0 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000005 R14: 0000000000000000 R15: 0000000000000000
RAX: ffff8880b55fa600 RBX: 0000000000000088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880b55fae4c
RBP: ffff8880b560f9d0 R08: 0000000000000000 R09: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
worker_thread+0x7d3/0xff0 kernel/workqueue.c:2252
RIP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230 RSP: ffff8880b560f960
CR2: 0000000000000088
---[ end trace 860b29d85a4047e3 ]---
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=1d2f03fe5a7eb2aa966c
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fa7a30500000
dashboard link: https://syzkaller.appspot.com/bug?extid=1d2f03fe5a7eb2aa966c
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12df3d44500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d2f03...@syzkaller.appspotmail.com
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000005 R14: 0000000000000000 R15: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
IP: test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline]
IP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
PGD 0 P4D 0
IP: test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline]
IP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.202-syzkaller #0
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
task: ffff8880b55fa600 task.stack: ffff8880b5608000
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline]
RIP: 0010:try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
RSP: 0018:ffff8880b560f960 EFLAGS: 00010097
RIP: 0010:try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230
RAX: ffff8880b55fa600 RBX: 0000000000000088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880b55fae4c
RBP: ffff8880b560f9d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000297 R14: dffffc0000000011 R15: ffff8880b55fa600
FS: 0000000000000000(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000088 CR3: 0000000008e6a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0x90/0x460 kernel/workqueue.c:2923
rhashtable_free_and_destroy+0x26/0x710 lib/rhashtable.c:1073
mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
mesh_pathtbl_unregister+0x42/0xa0 net/mac80211/mesh_pathtbl.c:906
ieee80211_teardown_sdata+0x1e2/0x290 net/mac80211/iface.c:1142
rollback_registered_many+0x83f/0xba0 net/core/dev.c:7217
rollback_registered+0xca/0x170 net/core/dev.c:7245
unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8266
unregister_netdevice include/linux/netdevice.h:2442 [inline]
ieee80211_if_remove+0x1fc/0x2b0 net/mac80211/iface.c:1933
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:143
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0xee/0x690 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
process_scheduled_works kernel/workqueue.c:2176 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0x90/0x460 kernel/workqueue.c:2923
rhashtable_free_and_destroy+0x26/0x710 lib/rhashtable.c:1073
mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
mesh_pathtbl_unregister+0x42/0xa0 net/mac80211/mesh_pathtbl.c:906
ieee80211_teardown_sdata+0x1e2/0x290 net/mac80211/iface.c:1142
rollback_registered_many+0x83f/0xba0 net/core/dev.c:7217
rollback_registered+0xca/0x170 net/core/dev.c:7245
unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8266
unregister_netdevice include/linux/netdevice.h:2442 [inline]
ieee80211_if_remove+0x1fc/0x2b0 net/mac80211/iface.c:1933
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:143
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0xee/0x690 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x7d3/0xff0 kernel/workqueue.c:2252
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 4b 04 00 00 4c 89 6d 00 e8 db 1b 0b 00 45 84 e4 0f 85 71 01 00 00 e8 dd 3e 20 00 <f0> 48 0f ba 2b 00 72 1a 45 31 e4 e8 cd 3e 20 00 44 89 e0 48 83
RIP: test_and_set_bit arch/x86/include/asm/bitops.h:220 [inline] RSP: ffff8880b560f960
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 4b 04 00 00 4c 89 6d 00 e8 db 1b 0b 00 45 84 e4 0f 85 71 01 00 00 e8 dd 3e 20 00 <f0> 48 0f ba 2b 00 72 1a 45 31 e4 e8 cd 3e 20 00 44 89 e0 48 83
RIP: try_to_grab_pending+0xc3/0x610 kernel/workqueue.c:1230 RSP: ffff8880b560f960
CR2: 0000000000000088
---[ end trace 860b29d85a4047e3 ]---
syzbot
Nov 7, 2020, 12:14:18 AM11/7/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b94de4d1 Linux 4.19.155
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b5438e500000
kernel config: https://syzkaller.appspot.com/x/.config?x=252047157acf1cb1
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e43746500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3bd70...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
PGD 994ca067 P4D 994ca067 PUD 9b1c9067 PMD 0
Code: 3c 02 00 0f 85 26 05 00 00 4c 89 6d 00 e8 3b 93 2a 00 31 ff 44 89 e6 e8 61 5d 25 00 45 84 e4 0f 85 da 01 00 00 e8 23 5c 25 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 3f 5d 25 00 45 84
RSP: 0018:ffff8880a8acf830 EFLAGS: 00010093
RAX: ffff8880a8ac2040 RBX: 0000000000000080 RCX: ffffffff813f725f
RDX: 0000000000000000 RSI: ffffffff813f726d RDI: 0000000000000001
RBP: ffff8880a8acf8a8 R08: 0000000000400000 R09: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
rhashtable_free_and_destroy+0x2b/0x970 lib/rhashtable.c:1145
rollback_registered_many+0x927/0xe70 net/core/dev.c:8202
rollback_registered+0xe9/0x1b0 net/core/dev.c:8230
unregister_netdevice_queue+0x1de/0x3e0 net/core/dev.c:9292
unregister_netdevice include/linux/netdevice.h:2614 [inline]
ieee80211_if_remove+0x213/0x310 net/mac80211/iface.c:1919
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
Code: 3c 02 00 0f 85 26 05 00 00 4c 89 6d 00 e8 3b 93 2a 00 31 ff 44 89 e6 e8 61 5d 25 00 45 84 e4 0f 85 da 01 00 00 e8 23 5c 25 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 3f 5d 25 00 45 84
Bluetooth: hci4: command 0x0409 tx timeout
RSP: 0018:ffff8880a8acf830 EFLAGS: 00010093
RAX: ffff8880a8ac2040 RBX: 0000000000000080 RCX: ffffffff813f725f
RDX: 0000000000000000 RSI: ffffffff813f726d RDI: 0000000000000001
RBP: ffff8880a8acf8a8 R08: 0000000000400000 R09: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
HEAD commit: b94de4d1 Linux 4.19.155
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b5438e500000
kernel config: https://syzkaller.appspot.com/x/.config?x=252047157acf1cb1
dashboard link: https://syzkaller.appspot.com/bug?extid=f3bd705c8213cd31abf6
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174f4d8a500000
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e43746500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3bd70...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
PGD 994ca067 P4D 994ca067 PUD 9b1c9067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3654 Comm: kworker/0:2 Not tainted 4.19.155-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x6f0 kernel/workqueue.c:1228
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
Code: 3c 02 00 0f 85 26 05 00 00 4c 89 6d 00 e8 3b 93 2a 00 31 ff 44 89 e6 e8 61 5d 25 00 45 84 e4 0f 85 da 01 00 00 e8 23 5c 25 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 3f 5d 25 00 45 84
RSP: 0018:ffff8880a8acf830 EFLAGS: 00010093
RAX: ffff8880a8ac2040 RBX: 0000000000000080 RCX: ffffffff813f725f
RDX: 0000000000000000 RSI: ffffffff813f726d RDI: 0000000000000001
RBP: ffff8880a8acf8a8 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff8880a8ac2040
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000009c025000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0xa6/0x590 kernel/workqueue.c:2974
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rhashtable_free_and_destroy+0x2b/0x970 lib/rhashtable.c:1145
mesh_table_free net/mac80211/mesh_pathtbl.c:72 [inline]
mesh_pathtbl_unregister+0x42/0x9a net/mac80211/mesh_pathtbl.c:827
ieee80211_teardown_sdata+0x209/0x2b0 net/mac80211/iface.c:1126
mesh_pathtbl_unregister+0x42/0x9a net/mac80211/mesh_pathtbl.c:827
rollback_registered_many+0x927/0xe70 net/core/dev.c:8202
rollback_registered+0xe9/0x1b0 net/core/dev.c:8230
unregister_netdevice_queue+0x1de/0x3e0 net/core/dev.c:9292
unregister_netdevice include/linux/netdevice.h:2614 [inline]
ieee80211_if_remove+0x213/0x310 net/mac80211/iface.c:1919
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0x1d0/0x750 net/wireless/core.c:317
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
CR2: 0000000000000080
---[ end trace 65c1d1ae26517b4a ]---
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
CR2: 0000000000000080
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x6f0 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 26 05 00 00 4c 89 6d 00 e8 3b 93 2a 00 31 ff 44 89 e6 e8 61 5d 25 00 45 84 e4 0f 85 da 01 00 00 e8 23 5c 25 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 3f 5d 25 00 45 84
Bluetooth: hci4: command 0x0409 tx timeout
RSP: 0018:ffff8880a8acf830 EFLAGS: 00010093
RAX: ffff8880a8ac2040 RBX: 0000000000000080 RCX: ffffffff813f725f
RDX: 0000000000000000 RSI: ffffffff813f726d RDI: 0000000000000001
RBP: ffff8880a8acf8a8 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff8880a8ac2040
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000009c025000 CR4: 00000000001406f0
Reply all
Reply to author
Forward
0 new messages