Hello,
syzbot found the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=14b98ea0500000
kernel config:
https://syzkaller.appspot.com/x/.config?x=19e1d59b1459bb9a
dashboard link:
https://syzkaller.appspot.com/bug?extid=f3bd705c8213cd31abf6
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+f3bd70...@syzkaller.appspotmail.com
RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007f7197b66ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 00007fff88d5628f R14: 00007f7197b679c0 R15: 000000000118bf2c
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
PGD 8c171067 P4D 8c171067 PUD 8c172067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6178 Comm: kworker/0:3 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cancel_work_timer+0xa6/0x5c0 kernel/workqueue.c:2974
rhashtable_free_and_destroy+0x2b/0xa50 lib/rhashtable.c:1145
mesh_table_free net/mac80211/mesh_pathtbl.c:72 [inline]
mesh_pathtbl_unregister+0x42/0x9a net/mac80211/mesh_pathtbl.c:827
ieee80211_teardown_sdata+0x216/0x2d0 net/mac80211/iface.c:1126
rollback_registered_many+0x97d/0xf00 net/core/dev.c:8202
rollback_registered+0xe9/0x1b0 net/core/dev.c:8230
unregister_netdevice_queue+0x1de/0x400 net/core/dev.c:9292
unregister_netdevice include/linux/netdevice.h:2614 [inline]
ieee80211_if_remove+0x213/0x330 net/mac80211/iface.c:1919
ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
cfg80211_destroy_ifaces+0x1f4/0x7c0 net/wireless/core.c:317
cfg80211_destroy_iface_wk+0x1a/0x20 net/wireless/core.c:329
process_one_work+0x796/0x14e0 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
CR2: 0000000000000080
---[ end trace d008542704297176 ]---
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:try_to_grab_pending+0xcd/0x720 kernel/workqueue.c:1228
Code: 3c 02 00 0f 85 56 05 00 00 4c 89 6d 00 e8 ab 82 2d 00 31 ff 44 89 e6 e8 41 05 28 00 45 84 e4 0f 85 da 01 00 00 e8 03 04 28 00 <f0> 48 0f ba 2b 00 41 0f 92 c4 31 ff 44 89 e6 e8 1f 05 28 00 45 84
RSP: 0018:ffff88809ad37838 EFLAGS: 00010093
RAX: ffff88809c0fa600 RBX: 0000000000000080 RCX: ffffffff8149cebf
RDX: 0000000000000000 RSI: ffffffff8149cecd RDI: 0000000000000001
RBP: ffff88809ad378b0 R08: 0000000000400000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000293 R14: dffffc0000000010 R15: ffff88809c0fa600
FS: 0000000000000000(0000) GS:ffff8880ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008c170000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.