Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=11fa606a700000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link:
https://syzkaller.appspot.com/bug?extid=15d6d157ed13717f5867
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1121e5ba700000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=107cf5f8700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+15d6d1...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [kworker/0:2:3639]
Modules linked in:
irq event stamp: 20039
hardirqs last enabled at (20038): [<ffffffff81003ce4>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (20039): [<ffffffff81003d00>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last enabled at (14972): [<ffffffff8709031e>] icmp6_dst_alloc+0x3de/0x660 net/ipv6/route.c:2750
softirqs last disabled at (14974): [<ffffffff87020872>] lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
softirqs last disabled at (14974): [<ffffffff87020872>] ip6_finish_output2+0x1f2/0x2290 net/ipv6/ip6_output.c:106
CPU: 0 PID: 3639 Comm: kworker/0:2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:preempt_count_add+0x20/0x190 kernel/sched/core.c:3230
Code: f7 36 8d e8 b2 f3 56 00 eb ab 48 b8 00 00 00 00 00 fc ff df 55 89 fd 53 48 c7 c3 60 37 24 8d 48 89 da 48 c1 ea 03 0f b6 14 02 <48> 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 2a 01 00 00 8b
RSP: 0018:ffff8880a8aaebe0 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffffffff8d243760 RCX: ffffffff868c174f
RDX: 0000000000000004 RSI: ffffffff868c9402 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000005 R11: 0000000000074071 R12: 1ffff11015155d86
R13: dffffc0000000000 R14: ffff8880a9ed8cf0 R15: ffff8880a8aaee40
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f45edfb93b0 CR3: 0000000009e6d000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_lock include/linux/spinlock_api_smp.h:141 [inline]
_raw_spin_lock+0xe/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
tcf_police_act+0x7a/0xe60 net/sched/act_police.c:216
tcf_action_exec net/sched/act_api.c:618 [inline]
tcf_action_exec+0x160/0x400 net/sched/act_api.c:598
tcf_exts_exec include/net/pkt_cls.h:388 [inline]
route4_classify+0x8d6/0x1420 net/sched/cls_route.c:183
tcf_classify+0x120/0x3c0 net/sched/cls_api.c:979
prio_classify net/sched/sch_prio.c:46 [inline]
prio_enqueue+0x3bb/0x7a0 net/sched/sch_prio.c:78
__dev_xmit_skb net/core/dev.c:3494 [inline]
__dev_queue_xmit+0x140a/0x2e00 net/core/dev.c:3807
neigh_hh_output include/net/neighbour.h:491 [inline]
neigh_output include/net/neighbour.h:499 [inline]
ip_finish_output2+0xb6d/0x15a0 net/ipv4/ip_output.c:230
ip_finish_output+0xae9/0x10b0 net/ipv4/ip_output.c:318
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip_output+0x203/0x5f0 net/ipv4/ip_output.c:406
dst_output include/net/dst.h:455 [inline]
ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x63b/0x9d0 net/ipv4/ip_tunnel_core.c:91
geneve_xmit_skb drivers/net/geneve.c:867 [inline]
geneve_xmit+0x120d/0x2e60 drivers/net/geneve.c:943
__netdev_start_xmit include/linux/netdevice.h:4349 [inline]
netdev_start_xmit include/linux/netdevice.h:4363 [inline]
xmit_one net/core/dev.c:3256 [inline]
dev_hard_start_xmit+0x1a8/0x920 net/core/dev.c:3272
__dev_queue_xmit+0x269d/0x2e00 net/core/dev.c:3838
neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374
neigh_output include/net/neighbour.h:501 [inline]
ip6_finish_output2+0x113d/0x2290 net/ipv6/ip6_output.c:120
ip6_finish_output+0x89b/0x10f0 net/ipv6/ip6_output.c:192
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip6_output+0x205/0x770 net/ipv6/ip6_output.c:209
dst_output include/net/dst.h:455 [inline]
NF_HOOK include/linux/netfilter.h:289 [inline]
ndisc_send_skb+0xa24/0x1720 net/ipv6/ndisc.c:491
ndisc_send_ns+0x51d/0x840 net/ipv6/ndisc.c:633
addrconf_dad_work+0xb0e/0x10a0 net/ipv6/addrconf.c:4076
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 36 8d ss (bad)
2: e8 b2 f3 56 00 callq 0x56f3b9
7: eb ab jmp 0xffffffb4
9: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
10: fc ff df
13: 55 push %rbp
14: 89 fd mov %edi,%ebp
16: 53 push %rbx
17: 48 c7 c3 60 37 24 8d mov $0xffffffff8d243760,%rbx
1e: 48 89 da mov %rbx,%rdx
21: 48 c1 ea 03 shr $0x3,%rdx
25: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
* 29: 48 89 d8 mov %rbx,%rax <-- trapping instruction
2c: 83 e0 07 and $0x7,%eax
2f: 83 c0 03 add $0x3,%eax
32: 38 d0 cmp %dl,%al
34: 7c 08 jl 0x3e
36: 84 d2 test %dl,%dl
38: 0f 85 2a 01 00 00 jne 0x168
3e: 8b .byte 0x8b
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches