[v6.1] WARNING: ODEBUG bug in netdev_freemem
5 views
Skip to first unread message
syzbot
May 5, 2023, 7:00:51 AM5/5/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ca48fc16c493 Linux 6.1.27
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100c2c5c280000
kernel config: https://syzkaller.appspot.com/x/.config?x=aea4bb7802570997
dashboard link: https://syzkaller.appspot.com/bug?extid=b991a8d8b71df922c5c0
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ec11c1903c52/disk-ca48fc16.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8ce41c1ad391/vmlinux-ca48fc16.xz
kernel image: https://storage.googleapis.com/syzbot-assets/affba5631cad/Image-ca48fc16.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b991a8...@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:177 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_sub_and_test include/linux/refcount.h:272 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_dec_and_test include/linux/refcount.h:315 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: refcount_dec_and_test include/linux/refcount.h:333 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: kref_put include/linux/kref.h:64 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: batadv_dat_entry_put net/batman-adv/distributed-arp-table.c:133 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: batadv_dat_purge+0x0/0x154 net/batman-adv/distributed-arp-table.c:1829
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 debug_print_object lib/debugobjects.c:509 [inline]
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
Modules linked in:
CPU: 1 PID: 7450 Comm: kworker/u4:19 Not tainted 6.1.27-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: netns cleanup_net
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:509 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
pc : debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
lr : debug_print_object lib/debugobjects.c:509 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
lr : debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
sp : ffff80001e9575e0
x29: ffff80001e957620 x28: ffff8000122596a0 x27: dfff800000000000
x26: ffff0000d8fed4f8 x25: 0000000000000000 x24: ffff800019864bc8
x23: ffff0000dd9ac3f0 x22: ffff800012710538 x21: ffff8000122596a0
x20: ffff800019864bc0 x19: ffff0000d8fec000 x18: ffff80001e9569e0
x17: 6e6968207473696c x16: ffff8000120e6354 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: ff808000081ae818 x10: 0000000000000000 x9 : eca0168922446900
x8 : eca0168922446900 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001e956ed8 x4 : ffff800015672960 x3 : ffff800008585158
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
debug_print_object lib/debugobjects.c:509 [inline]
__debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
slab_free_hook mm/slub.c:1699 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x258/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:1007
kvfree+0x40/0x50 mm/util.c:627
netdev_freemem+0x4c/0x64 net/core/dev.c:10537
netdev_release+0x88/0xb0 net/core/net-sysfs.c:1910
device_release+0x8c/0x1ac
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x2a8/0x41c lib/kobject.c:729
netdev_run_todo+0xcf0/0xe08 net/core/dev.c:10373
rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
default_device_exit_batch+0x6c4/0x73c net/core/dev.c:11337
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5dc/0x994 net/core/net_namespace.c:601
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2289
worker_thread+0x8e4/0xfec kernel/workqueue.c:2436
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
irq event stamp: 11262658
hardirqs last enabled at (11262657): [<ffff80000834278c>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (11262658): [<ffff8000120e200c>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (11262566): [<ffff800011e90e20>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (11262566): [<ffff800011e90e20>] batadv_tvlv_handler_unregister+0x158/0x254 net/batman-adv/tvlv.c:575
softirqs last disabled at (11262564): [<ffff800011e90d8c>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (11262564): [<ffff800011e90d8c>] batadv_tvlv_handler_unregister+0xc4/0x254 net/batman-adv/tvlv.c:573
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ca48fc16c493 Linux 6.1.27
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100c2c5c280000
kernel config: https://syzkaller.appspot.com/x/.config?x=aea4bb7802570997
dashboard link: https://syzkaller.appspot.com/bug?extid=b991a8d8b71df922c5c0
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ec11c1903c52/disk-ca48fc16.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8ce41c1ad391/vmlinux-ca48fc16.xz
kernel image: https://storage.googleapis.com/syzbot-assets/affba5631cad/Image-ca48fc16.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b991a8...@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:177 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_sub_and_test include/linux/refcount.h:272 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_dec_and_test include/linux/refcount.h:315 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: refcount_dec_and_test include/linux/refcount.h:333 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: kref_put include/linux/kref.h:64 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: batadv_dat_entry_put net/batman-adv/distributed-arp-table.c:133 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: batadv_dat_purge+0x0/0x154 net/batman-adv/distributed-arp-table.c:1829
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 debug_print_object lib/debugobjects.c:509 [inline]
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
WARNING: CPU: 1 PID: 7450 at lib/debugobjects.c:512 debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
Modules linked in:
CPU: 1 PID: 7450 Comm: kworker/u4:19 Not tainted 6.1.27-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: netns cleanup_net
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:509 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
pc : debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
lr : debug_print_object lib/debugobjects.c:509 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
lr : debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
sp : ffff80001e9575e0
x29: ffff80001e957620 x28: ffff8000122596a0 x27: dfff800000000000
x26: ffff0000d8fed4f8 x25: 0000000000000000 x24: ffff800019864bc8
x23: ffff0000dd9ac3f0 x22: ffff800012710538 x21: ffff8000122596a0
x20: ffff800019864bc0 x19: ffff0000d8fec000 x18: ffff80001e9569e0
x17: 6e6968207473696c x16: ffff8000120e6354 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: ff808000081ae818 x10: 0000000000000000 x9 : eca0168922446900
x8 : eca0168922446900 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001e956ed8 x4 : ffff800015672960 x3 : ffff800008585158
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
debug_print_object lib/debugobjects.c:509 [inline]
__debug_check_no_obj_freed lib/debugobjects.c:996 [inline]
debug_check_no_obj_freed+0x3f0/0x50c lib/debugobjects.c:1027
slab_free_hook mm/slub.c:1699 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x258/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:1007
kvfree+0x40/0x50 mm/util.c:627
netdev_freemem+0x4c/0x64 net/core/dev.c:10537
netdev_release+0x88/0xb0 net/core/net-sysfs.c:1910
device_release+0x8c/0x1ac
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x2a8/0x41c lib/kobject.c:729
netdev_run_todo+0xcf0/0xe08 net/core/dev.c:10373
rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
default_device_exit_batch+0x6c4/0x73c net/core/dev.c:11337
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5dc/0x994 net/core/net_namespace.c:601
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2289
worker_thread+0x8e4/0xfec kernel/workqueue.c:2436
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
irq event stamp: 11262658
hardirqs last enabled at (11262657): [<ffff80000834278c>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (11262658): [<ffff8000120e200c>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (11262566): [<ffff800011e90e20>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (11262566): [<ffff800011e90e20>] batadv_tvlv_handler_unregister+0x158/0x254 net/batman-adv/tvlv.c:575
softirqs last disabled at (11262564): [<ffff800011e90d8c>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (11262564): [<ffff800011e90d8c>] batadv_tvlv_handler_unregister+0xc4/0x254 net/batman-adv/tvlv.c:573
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 23, 2023, 5:09:35 AM8/23/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages