BUG: sleeping function called from invalid context at net/core/sock.c:LINE (3)

[syzbot]

Hello,

syzbot hit the following crash on net-next commit
65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
Merge branch 'tipc-de-generealize-topology-server'

So far this crash happened 25 times on net-next.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+749d9d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Not tainted 4.16.0-rc1+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 1 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[Dmitry Vyukov]

On Sat, Feb 17, 2018 at 4:00 AM, syzbot
<syzbot+749d9d...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
> Merge branch 'tipc-de-generealize-topology-server'

+tipc maintainers

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a1143e44e58485f05655fa8ae%40google.com.
> For more options, visit https://groups.google.com/d/optout.

[Kirill Tkhai]

On 17.02.2018 11:15, Dmitry Vyukov wrote:
> On Sat, Feb 17, 2018 at 4:00 AM, syzbot
> <syzbot+749d9d...@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot hit the following crash on net-next commit
>> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
>> Merge branch 'tipc-de-generealize-topology-server'
>
> +tipc maintainers

This looks to be caused by commit 0ef897be12b8
"tipc: separate topology server listener socket from subcsriber sockets"

Thanks,
Kirill

[Jon Maloy]

I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
How does the call chain you are reporting occur?

///jon


> -----Original Message-----
> From: Kirill Tkhai [mailto:ktk...@virtuozzo.com]
> Sent: Saturday, February 17, 2018 23:23
> To: Dmitry Vyukov <dvy...@google.com>; syzbot
> <syzbot+749d9d...@syzkaller.appspotmail.com>; Jon Maloy
> <jon....@ericsson.com>; Ying Xue <ying...@windriver.com>
> Cc: Andrei Vagin <ava...@virtuozzo.com>; David Miller
> <da...@davemloft.net>; Eric W. Biederman <ebie...@xmission.com>;
> Florian Westphal <f...@strlen.de>; LKML <linux-...@vger.kernel.org>;
> netdev <net...@vger.kernel.org>; Nicolas Dichtel
> <nicolas...@6wind.com>; roman...@sysgo.com; syzkaller-
> bu...@googlegroups.com; tipc-di...@lists.sourceforge.net
> Subject: Re: BUG: sleeping function called from invalid context at
> net/core/sock.c:LINE (3)

[Dmitry Vyukov]

On Mon, Feb 19, 2018 at 2:23 PM, Jon Maloy <jon....@ericsson.com> wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
> How does the call chain you are reporting occur?

Hi Jon,

Please see the original syzbot report, it includes all known
information about the bug (including a reproducer program):
https://groups.google.com/forum/#!topic/syzkaller-bugs/jWAs6YWMp9g

[Paolo Abeni]

On Mon, 2018-02-19 at 13:23 +0000, Jon Maloy wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged
> from a user doing rmmod(), and I double checked that this is running
> in user mode.
> How does the call chain you are reporting occur?

tipc_topsrv_stop() is called also at net namespace destruction time:

static void __net_exit tipc_exit_net(struct net *net)
{
tipc_topsrv_stop(net);
#...

I *think* the following should fix the issue, but I'm unsure if it's
safe.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master

---
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 02013e00f287..63f35eae7236 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -693,9 +693,9 @@ void tipc_topsrv_stop(struct net *net)
}
__module_get(lsock->ops->owner);
__module_get(lsock->sk->sk_prot_creator->owner);
- sock_release(lsock);
srv->listener = NULL;
spin_unlock_bh(&srv->idr_lock);
+ sock_release(lsock);
tipc_topsrv_work_stop(srv);
idr_destroy(&srv->conn_idr);
kfree(srv);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+749d9d...@syzkaller.appspotmail.com

Note: the tag will also help syzbot to understand when the bug is fixed.

Tested on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink

compiler: gcc (GCC) 7.1.1 20170620

Patch is attached.
Kernel config is attached.


---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.

[Kirill Tkhai]

On 19.02.2018 16:23, Jon Maloy wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
> How does the call chain you are reporting occur?
>

In case of CONFIG_NET_NS=y, pernet_operations::exit() is called after last reference
to a net is dropped. So, this may happen not only on module unload path.

Kirill