[syzbot] [net?] WARNING in xfrm_state_fini (4)
3 views
Skip to first unread message
syzbot
Oct 12, 2025, 5:35:31 PM (8 days ago) Oct 12
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ffce84bccb4d Merge branch 'bpf-avoid-rcu-context-warning-w..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=112559e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1e0e0bf7e51565cd
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1514d304580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd489c5f530a/disk-ffce84bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e4a06e8e5022/vmlinux-ffce84bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c1111b7581ab/bzImage-ffce84bc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3306 xfrm_state_fini+0x26d/0x2f0 net/xfrm/xfrm_state.c:3306
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: netns cleanup_net
RIP: 0010:xfrm_state_fini+0x26d/0x2f0 net/xfrm/xfrm_state.c:3306
Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 4b f0 36 f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 99 e1 16 f8 e8 64 4d d1 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 56 4d d1 f7 90 0f 0b 90 e9 60 fe ff ff
RSP: 0018:ffffc90000ac7878 EFLAGS: 00010293
RAX: ffffffff89edd6ec RBX: ffff888058e08000 RCX: ffff88801ce99e40
RDX: 0000000000000000 RSI: ffffffff8d9cc7ae RDI: ffff88801ce99e40
RBP: ffffc90000ac7990 R08: ffffffff8f9db437 R09: 1ffffffff1f3b686
R10: dffffc0000000000 R11: fffffbfff1f3b687 R12: ffffffff8f5d4bc0
R13: 1ffff92000158f3c R14: ffff888058e094c0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888125e27000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007eff78efa6b0 CR3: 000000007788c000 CR4: 00000000003526f0
Call Trace:
<TASK>
xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4354
ops_exit_list net/core/net_namespace.c:199 [inline]
ops_undo_list+0x497/0x990 net/core/net_namespace.c:252
cleanup_net+0x4d8/0x820 net/core/net_namespace.c:695
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ffce84bccb4d Merge branch 'bpf-avoid-rcu-context-warning-w..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=112559e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1e0e0bf7e51565cd
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1514d304580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd489c5f530a/disk-ffce84bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e4a06e8e5022/vmlinux-ffce84bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c1111b7581ab/bzImage-ffce84bc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3306 xfrm_state_fini+0x26d/0x2f0 net/xfrm/xfrm_state.c:3306
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: netns cleanup_net
RIP: 0010:xfrm_state_fini+0x26d/0x2f0 net/xfrm/xfrm_state.c:3306
Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 4b f0 36 f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 99 e1 16 f8 e8 64 4d d1 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 56 4d d1 f7 90 0f 0b 90 e9 60 fe ff ff
RSP: 0018:ffffc90000ac7878 EFLAGS: 00010293
RAX: ffffffff89edd6ec RBX: ffff888058e08000 RCX: ffff88801ce99e40
RDX: 0000000000000000 RSI: ffffffff8d9cc7ae RDI: ffff88801ce99e40
RBP: ffffc90000ac7990 R08: ffffffff8f9db437 R09: 1ffffffff1f3b686
R10: dffffc0000000000 R11: fffffbfff1f3b687 R12: ffffffff8f5d4bc0
R13: 1ffff92000158f3c R14: ffff888058e094c0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888125e27000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007eff78efa6b0 CR3: 000000007788c000 CR4: 00000000003526f0
Call Trace:
<TASK>
xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4354
ops_exit_list net/core/net_namespace.c:199 [inline]
ops_undo_list+0x497/0x990 net/core/net_namespace.c:252
cleanup_net+0x4d8/0x820 net/core/net_namespace.c:695
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 13, 2025, 7:08:06 PM (7 days ago) Oct 13
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/ipv4/udp.c
patch: **** unexpected end of file in patch
Tested on:
commit: 3a866087 Linux 6.18-rc1
git tree: bpf
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
patch: https://syzkaller.appspot.com/x/patch.diff?x=11a479e2580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/ipv4/udp.c
patch: **** unexpected end of file in patch
Tested on:
commit: 3a866087 Linux 6.18-rc1
git tree: bpf
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
patch: https://syzkaller.appspot.com/x/patch.diff?x=11a479e2580000
Eric Dumazet
Oct 14, 2025, 4:36:06 AM (6 days ago) Oct 14
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 95241093b7f0..17240503a366 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1744,6 +1744,8 @@ int __udp_enqueue_schedule_skb(struct sock *sk,
struct sk_buff *skb)
atomic_add(size, &udp_prod_queue->rmem_alloc);
+ secpath_reset(skb);
+
if (!llist_add(&skb->ll_node, &udp_prod_queue->ll_root))
return 0;
syzbot
Oct 19, 2025, 9:04:05 PM (18 hours ago) Oct 19
to da...@davemloft.net, dsa...@kernel.org, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@queasysnail.net, steffen....@secunet.com, syzkall...@googlegroups.com
syzbot has bisected this issue to:
commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd
Author: Sabrina Dubroca <s...@queasysnail.net>
Date: Fri Jul 4 14:54:33 2025 +0000
xfrm: delete x->tunnel as we delete x
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14b49734580000
start commit: 0b4b77eff5f8 doc: fix seg6_flowlabel path
git tree: net
final oops: https://syzkaller.appspot.com/x/report.txt?x=16b49734580000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b49734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=61ab7fa743df0ec1
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cc05e2580000
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd
Author: Sabrina Dubroca <s...@queasysnail.net>
Date: Fri Jul 4 14:54:33 2025 +0000
xfrm: delete x->tunnel as we delete x
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14b49734580000
start commit: 0b4b77eff5f8 doc: fix seg6_flowlabel path
git tree: net
final oops: https://syzkaller.appspot.com/x/report.txt?x=16b49734580000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b49734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=61ab7fa743df0ec1
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cc05e2580000
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Wang Liang
7:03 AM (9 hours ago) 7:03 AM
to syzbot+999eb2...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, steffen....@secunet.com, her...@gondor.apana.org.au, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, ho...@kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, yueha...@huawei.com, zhangch...@huawei.com, wangl...@huawei.com
#syz test
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index f3014e4f54fc..2e7ab56db152 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -441,6 +441,7 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
void xfrm_flush_gc(void);
+void xfrm_state_delete_tunnel(struct xfrm_state *x);
struct xfrm_type {
struct module *owner;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d213ca3653a8..5d982e4e6526 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -806,7 +806,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -3085,7 +3084,7 @@ void xfrm_flush_gc(void)
}
EXPORT_SYMBOL(xfrm_flush_gc);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x)
+void xfrm_state_delete_tunnel(struct xfrm_state *x)
{
if (x->tunnel) {
struct xfrm_state *t = x->tunnel;
@@ -3096,6 +3095,7 @@ static void xfrm_state_delete_tunnel(struct xfrm_state *x)
x->tunnel = NULL;
}
}
+EXPORT_SYMBOL(xfrm_state_delete_tunnel);
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
{
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 010c9e6638c0..7f769617882c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1031,6 +1031,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
xfrm_dev_state_delete(x);
+ xfrm_state_delete_tunnel(x);
__xfrm_state_put(x);
goto out;
}
--
2.34.1
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index f3014e4f54fc..2e7ab56db152 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -441,6 +441,7 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
void xfrm_flush_gc(void);
+void xfrm_state_delete_tunnel(struct xfrm_state *x);
struct xfrm_type {
struct module *owner;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d213ca3653a8..5d982e4e6526 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -806,7 +806,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -3085,7 +3084,7 @@ void xfrm_flush_gc(void)
}
EXPORT_SYMBOL(xfrm_flush_gc);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x)
+void xfrm_state_delete_tunnel(struct xfrm_state *x)
{
if (x->tunnel) {
struct xfrm_state *t = x->tunnel;
@@ -3096,6 +3095,7 @@ static void xfrm_state_delete_tunnel(struct xfrm_state *x)
x->tunnel = NULL;
}
}
+EXPORT_SYMBOL(xfrm_state_delete_tunnel);
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
{
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 010c9e6638c0..7f769617882c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1031,6 +1031,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
xfrm_dev_state_delete(x);
+ xfrm_state_delete_tunnel(x);
__xfrm_state_put(x);
goto out;
}
--
2.34.1
Sabrina Dubroca
8:20 AM (7 hours ago) 8:20 AM
to Wang Liang, syzbot+999eb2...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, steffen....@secunet.com, her...@gondor.apana.org.au, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, ho...@kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, yueha...@huawei.com, zhangch...@huawei.com
2025-10-20, 19:25:53 +0800, Wang Liang wrote:
> #syz test
I've already sent
https://lore.kernel.org/all/15c383b3491b6ecedc98380e9db5b...@queasysnail.net/
which should address this issue (and the other report in
xfrm6_tunnel_net_exit).
--
Sabrina
> #syz test
I've already sent
https://lore.kernel.org/all/15c383b3491b6ecedc98380e9db5b...@queasysnail.net/
which should address this issue (and the other report in
xfrm6_tunnel_net_exit).
--
Sabrina
syzbot
8:26 AM (7 hours ago) 8:26 AM
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com, wangl...@huawei.com, yueha...@huawei.com, zhangch...@huawei.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
Tested-by: syzbot+999eb2...@syzkaller.appspotmail.com
Tested on:
commit: ffff5c8f net: phy: realtek: fix rtl8221b-vm-cg name
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=11573c58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+999eb2...@syzkaller.appspotmail.com
Tested-by: syzbot+999eb2...@syzkaller.appspotmail.com
Tested on:
commit: ffff5c8f net: phy: realtek: fix rtl8221b-vm-cg name
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=11573c58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15159734580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages