BUG: stack guard page was hit in unwind_next_frame

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 8999dc89 net/x25: Fix null-ptr-deref in x25_disconnect
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16004440100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
dashboard link: https://syzkaller.appspot.com/bug?extid=e73ceacfd8560cc8a3ca
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e73cea...@syzkaller.appspotmail.com

bridge4: port 1(bond0) entered blocking state
bridge4: port 1(bond0) entered disabled state
BUG: stack guard page was hit at 000000008ec16325 (stack is 0000000068a067dc..00000000b4f7fcaf)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7601 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:unwind_next_frame+0xe4/0x19d0 arch/x86/kernel/unwind_orc.c:386
Code: 41 5d 41 5e 41 5f c3 4d 8d 67 48 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00 0f 85 39 12 00 00 49 8b 47 48 <48> 89 44 24 10 49 8d 47 38 48 89 c2 48 89 04 24 48 b8 00 00 00 00
RSP: 0018:ffffc9000cd07fe8 EFLAGS: 00010246
RAX: ffffffff81327f33 RBX: 1ffff920019a1005 RCX: ffffc9000cd08200
RDX: 1ffff920019a1038 RSI: 0000000000000000 RDI: ffffc9000cd08178
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffc9000cd081a0
R10: ffffc9000cd081cf R11: fffff520019a1039 R12: ffffc9000cd081c0
R13: fffff520019a1031 R14: fffff520019a1030 R15: ffffc9000cd08178
FS: 00007ff0d192f700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000cd07ff8 CR3: 000000005d606000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__unwind_start arch/x86/kernel/unwind_orc.c:655 [inline]
__unwind_start+0x474/0x820 arch/x86/kernel/unwind_orc.c:585
unwind_start arch/x86/include/asm/unwind.h:60 [inline]
arch_stack_walk+0x57/0xd0 arch/x86/kernel/stacktrace.c:24
stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:123
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:495 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
slab_post_alloc_hook mm/slab.h:586 [inline]
slab_alloc_node mm/slab.c:3263 [inline]
kmem_cache_alloc_node+0x13c/0x760 mm/slab.c:3575
__alloc_skb+0xba/0x5a0 net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1083 [inline]
nlmsg_new include/net/netlink.h:888 [inline]
rtmsg_ifinfo_build_skb+0x72/0x1a0 net/core/rtnetlink.c:3695
rtmsg_ifinfo_event.part.0+0x49/0xe0 net/core/rtnetlink.c:3731
rtmsg_ifinfo_event net/core/rtnetlink.c:5512 [inline]
rtnetlink_event+0x11e/0x150 net/core/rtnetlink.c:5505
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_change_features+0x61/0xb0 net/core/dev.c:9117
bond_compute_features.isra.0+0x521/0xa40 drivers/net/bonding/bond_main.c:1188
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3237 [inline]
bond_netdev_event+0x6ee/0x930 drivers/net/bonding/bond_main.c:3277
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
netdev_features_change net/core/dev.c:1364 [inline]
netdev_update_features net/core/dev.c:9101 [inline]
netdev_update_features+0xc4/0xd0 net/core/dev.c:9098
netdev_sync_lower_features net/core/dev.c:8910 [inline]
__netdev_update_features+0x821/0x12f0 net/core/dev.c:9045
netdev_update_features+0x63/0xd0 net/core/dev.c:9100
dev_disable_lro+0x45/0x320 net/core/dev.c:1592
br_add_if+0x8c5/0x1810 net/bridge/br_if.c:633
do_set_master net/core/rtnetlink.c:2470 [inline]
do_set_master+0x1d7/0x230 net/core/rtnetlink.c:2443
do_setlink+0xaa2/0x3680 net/core/rtnetlink.c:2605
__rtnl_newlink+0xad5/0x1590 net/core/rtnetlink.c:3266
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3391
rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
___sys_sendmsg+0x100/0x170 net/socket.c:2416
__sys_sendmsg+0xec/0x1b0 net/socket.c:2449
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff0d192ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000500a40 RCX: 000000000045c829
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000006
RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fe R14: 00000000004ccb57 R15: 00007ff0d192f6d4
Modules linked in:
---[ end trace 9178e0e56bfc9183 ]---
RIP: 0010:unwind_next_frame+0xe4/0x19d0 arch/x86/kernel/unwind_orc.c:386
Code: 41 5d 41 5e 41 5f c3 4d 8d 67 48 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00 0f 85 39 12 00 00 49 8b 47 48 <48> 89 44 24 10 49 8d 47 38 48 89 c2 48 89 04 24 48 b8 00 00 00 00
RSP: 0018:ffffc9000cd07fe8 EFLAGS: 00010246
RAX: ffffffff81327f33 RBX: 1ffff920019a1005 RCX: ffffc9000cd08200
RDX: 1ffff920019a1038 RSI: 0000000000000000 RDI: ffffc9000cd08178
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffc9000cd081a0
R10: ffffc9000cd081cf R11: fffff520019a1039 R12: ffffc9000cd081c0
R13: fffff520019a1031 R14: fffff520019a1030 R15: ffffc9000cd08178
FS: 00007ff0d192f700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000cd07ff8 CR3: 000000005d606000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Hillf Danton]

Sat, 02 May 2020 23:36:11 -0700

Bail out if it's detected to handle the event more than once.

--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3273,9 +3273,19 @@ static int bond_netdev_event(struct noti
return ret;
}

- if (event_dev->flags & IFF_SLAVE)
- return bond_slave_netdev_event(event, event_dev);
+ if (event_dev->flags & IFF_SLAVE) {
+ static void *tail_spin = NULL;
+ void *token = (void *) this + (void *) event_dev;
+
+ if (tail_spin == token) {
+ tail_spin = NULL;
+ return NOTIFY_DONE;
+ }
+ if (tail_spin == NULL)
+ tail_spin = token;

+ return bond_slave_netdev_event(event, event_dev);
+ }
return NOTIFY_DONE;
}

[Josh Poimboeuf]

On Sat, May 02, 2020 at 11:36:11PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 8999dc89 net/x25: Fix null-ptr-deref in x25_disconnect
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16004440100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e73ceacfd8560cc8a3ca
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e73cea...@syzkaller.appspotmail.com

Infinite loop in network code.

#syz dup: BUG: stack guard page was hit in deref_stack_reg

--
Josh

[Cong Wang]

It is not a loop, it is an unbound recursion where netdev events
trigger between bond master and slave back and forth.

Let me see how this can be fixed properly.

Thanks!

[Cong Wang]

The following patch works for me, I think it is reasonable to stop
the netdev event propagation from upper to lower device, but I am
not sure whether this will miss the netdev event in complex
multi-layer setups.

diff --git a/net/core/dev.c b/net/core/dev.c
index 522288177bbd..ece50ae346c3 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8907,7 +8907,7 @@ static void netdev_sync_lower_features(struct
net_device *upper,
netdev_dbg(upper, "Disabling feature %pNF on
lower dev %s.\n",
&feature, lower->name);
lower->wanted_features &= ~feature;
- netdev_update_features(lower);
+ __netdev_update_features(lower);

if (unlikely(lower->features & feature))
netdev_WARN(upper, "failed to disable
%pNF on %s!\n",

[Dan Carpenter]

On Sun, May 03, 2020 at 06:22:20PM +0800, Hillf Danton wrote:
> Bail out if it's detected to handle the event more than once.
>
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -3273,9 +3273,19 @@ static int bond_netdev_event(struct noti
> return ret;
> }
>
> - if (event_dev->flags & IFF_SLAVE)
> - return bond_slave_netdev_event(event, event_dev);
> + if (event_dev->flags & IFF_SLAVE) {
> + static void *tail_spin = NULL;

^^^^^^^^^^^^^^^^
assigning NULL

> + void *token = (void *) this + (void *) event_dev;

Adding a pointer to a pointer doesn't make any sense. But the result
is non-NULL because event_dev is non-NULL.

> +
> + if (tail_spin == token) {

^^^^^^^^^^^^^^^^^^
Impossible because tail_spin is NULL and token is non-NULL.

> + tail_spin = NULL;
^^^^^^^^^^^^^^^^
re-assigning NULL. local variable assigned right before a return is
pointless.

> + return NOTIFY_DONE;
> + }
> + if (tail_spin == NULL)

Always true condition.

> + tail_spin = token;

Pointless assign.

>
> + return bond_slave_netdev_event(event, event_dev);

This whole patch is a very complicated no-op. :P I'm not sure at all
what was intended by this patch.

> + }
> return NOTIFY_DONE;
> }

regards,
dan carpenter

[Hillf Danton]

On Thu, 7 May 2020 12:59:49 Dan Carpenter wrote:
>
> On Sun, May 03, 2020 at 06:22:20PM +0800, Hillf Danton wrote:
> > Bail out if it's detected to handle the event more than once.
> >
> > --- a/drivers/net/bonding/bond_main.c
> > +++ b/drivers/net/bonding/bond_main.c
> > @@ -3273,9 +3273,19 @@ static int bond_netdev_event(struct noti
> > return ret;
> > }
> >
> > - if (event_dev->flags & IFF_SLAVE)
> > - return bond_slave_netdev_event(event, event_dev);
> > + if (event_dev->flags & IFF_SLAVE) {
> > + static void *tail_spin = NULL;
> ^^^^^^^^^^^^^^^^
> assigning NULL
>
> > + void *token = (void *) this + (void *) event_dev;
>
> Adding a pointer to a pointer doesn't make any sense. But the result
> is non-NULL because event_dev is non-NULL.

I wanted to capture the same notifier and the same net device, though
the former is indeed redundant. As you see, it was toe curling to do
wierd coding in attempt to fix something like this report.

>
> > +
> > + if (tail_spin == token) {
> ^^^^^^^^^^^^^^^^^^
> Impossible because tail_spin is NULL and token is non-NULL.
>
> > + tail_spin = NULL;
> ^^^^^^^^^^^^^^^^
> re-assigning NULL. local variable assigned right before a return is
> pointless.

Ah got your point and the above one: tail_spin is declared static.

>
> > + return NOTIFY_DONE;
> > + }
> > + if (tail_spin == NULL)
>
> Always true condition.
>
> > + tail_spin = token;
>
> Pointless assign.
>
> >
> > + return bond_slave_netdev_event(event, event_dev);
>
> This whole patch is a very complicated no-op. :P I'm not sure at all
> what was intended by this patch.

You're right. The send button was hit before thinking twice.
Sorry for the noise.

To avoid eating out stack, skip handling event if it's true that we met
the net device before.
Every return from bond_slave_netdev_event() means it's not moving to the
stack limit without break, thus it's the right time to refresh token.

What's not included is the risk that we run out of stack before bailout
due to the number of slave devices.

--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3273,8 +3273,18 @@ static int bond_netdev_event(struct noti

return ret;
}

- if (event_dev->flags & IFF_SLAVE)
- return bond_slave_netdev_event(event, event_dev);
+ if (event_dev->flags & IFF_SLAVE) {

+ int ret = NOTIFY_DONE;
+ static struct net_device *token = NULL;
+
+ if (token != event_dev) {
+ if (!token)
+ token = event_dev;
+ ret = bond_slave_netdev_event(event, event_dev);
+ }
+ token = NULL;
+ return ret;
+ }

return NOTIFY_DONE;
}