KCSAN: data-race in __dev_set_promiscuity / ip_route_output_key_hash_rcu
4 views
Skip to first unread message
syzbot
Dec 11, 2020, 6:41:12 AM12/11/20
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b6505459 Linux 5.10-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17b87165500000
kernel config: https://syzkaller.appspot.com/x/.config?x=c949fed53798f819
dashboard link: https://syzkaller.appspot.com/bug?extid=bf50eb9f0aa68fb96bbf
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project.git 913f6005669cfb590c99865a90bc51ed0983d09d)
CC: [da...@davemloft.net ku...@kernel.org kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org net...@vger.kernel.org yosh...@linux-ipv6.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bf50eb...@syzkaller.appspotmail.com
device macvtap1 entered promiscuous mode
==================================================================
BUG: KCSAN: data-race in __dev_set_promiscuity / ip_route_output_key_hash_rcu
read to 0xffff8881221bb228 of 4 bytes by interrupt on cpu 1:
ip_route_output_key_hash_rcu+0x189/0x950 net/ipv4/route.c:2584
ip_route_output_key_hash net/ipv4/route.c:2507 [inline]
__ip_route_output_key include/net/route.h:126 [inline]
ip_route_output_flow+0xaf/0x160 net/ipv4/route.c:2768
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x173/0x560 net/ipv4/igmp.c:369
add_grhead net/ipv4/igmp.c:440 [inline]
add_grec+0xbc3/0xd10 net/ipv4/igmp.c:573
igmpv3_send_cr net/ipv4/igmp.c:710 [inline]
igmp_ifc_timer_expire+0x5d5/0xa20 net/ipv4/igmp.c:807
call_timer_fn+0x2e/0x240 kernel/time/timer.c:1410
expire_timers+0x116/0x260 kernel/time/timer.c:1455
__run_timers+0x338/0x3d0 kernel/time/timer.c:1747
run_timer_softirq+0x19/0x30 kernel/time/timer.c:1760
__do_softirq+0x12c/0x2b1 kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0xb2/0xc0 kernel/softirq.c:423
sysvec_apic_timer_interrupt+0x74/0x90 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631
native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
kcsan_setup_watchpoint+0x1ec/0x4d0 kernel/kcsan/core.c:591
skb_zcopy include/linux/skbuff.h:1435 [inline]
skb_orphan_frags include/linux/skbuff.h:2771 [inline]
pskb_expand_head+0x2b2/0x8c0 net/core/skbuff.c:1643
skb_ensure_writable+0x13d/0x1a0 net/core/skbuff.c:5452
__bpf_try_make_writable net/core/filter.c:1654 [inline]
bpf_try_make_writable net/core/filter.c:1660 [inline]
bpf_try_make_head_writable net/core/filter.c:1668 [inline]
____bpf_clone_redirect net/core/filter.c:2442 [inline]
bpf_clone_redirect+0xb6/0x1c0 net/core/filter.c:2420
bpf_prog_bebbfe2050753572+0x56/0x70c
bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
bpf_test_run+0x266/0x450 net/bpf/test_run.c:50
bpf_prog_test_run_skb+0x6f0/0xe70 net/bpf/test_run.c:581
bpf_prog_test_run kernel/bpf/syscall.c:3125 [inline]
__do_sys_bpf+0x39d6/0x9aa0 kernel/bpf/syscall.c:4417
__se_sys_bpf kernel/bpf/syscall.c:4357 [inline]
__x64_sys_bpf+0x3d/0x50 kernel/bpf/syscall.c:4357
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
read-write to 0xffff8881221bb228 of 4 bytes by task 22529 on cpu 0:
__dev_set_promiscuity+0x8c/0x380 net/core/dev.c:8197
dev_set_promiscuity+0x37/0x90 net/core/dev.c:8253
macvlan_change_rx_flags+0xe8/0x100 drivers/net/macvlan.c:769
dev_change_rx_flags net/core/dev.c:8186 [inline]
__dev_set_promiscuity+0x30d/0x380 net/core/dev.c:8230
__dev_change_flags+0x1e8/0x400 net/core/dev.c:8432
rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3123
__rtnl_newlink net/core/rtnetlink.c:3460 [inline]
rtnl_newlink+0xf14/0x13a0 net/core/rtnetlink.c:3500
rtnetlink_rcv_msg+0x723/0x7c0 net/core/rtnetlink.c:5562
netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2494
rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5580
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x5df/0x6b0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x6f8/0x7c0 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0x352/0x4c0 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x1e2/0x260 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg net/socket.c:2447 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2447
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 22529 Comm: syz-executor.4 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: b6505459 Linux 5.10-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17b87165500000
kernel config: https://syzkaller.appspot.com/x/.config?x=c949fed53798f819
dashboard link: https://syzkaller.appspot.com/bug?extid=bf50eb9f0aa68fb96bbf
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project.git 913f6005669cfb590c99865a90bc51ed0983d09d)
CC: [da...@davemloft.net ku...@kernel.org kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org net...@vger.kernel.org yosh...@linux-ipv6.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bf50eb...@syzkaller.appspotmail.com
device macvtap1 entered promiscuous mode
==================================================================
BUG: KCSAN: data-race in __dev_set_promiscuity / ip_route_output_key_hash_rcu
read to 0xffff8881221bb228 of 4 bytes by interrupt on cpu 1:
ip_route_output_key_hash_rcu+0x189/0x950 net/ipv4/route.c:2584
ip_route_output_key_hash net/ipv4/route.c:2507 [inline]
__ip_route_output_key include/net/route.h:126 [inline]
ip_route_output_flow+0xaf/0x160 net/ipv4/route.c:2768
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x173/0x560 net/ipv4/igmp.c:369
add_grhead net/ipv4/igmp.c:440 [inline]
add_grec+0xbc3/0xd10 net/ipv4/igmp.c:573
igmpv3_send_cr net/ipv4/igmp.c:710 [inline]
igmp_ifc_timer_expire+0x5d5/0xa20 net/ipv4/igmp.c:807
call_timer_fn+0x2e/0x240 kernel/time/timer.c:1410
expire_timers+0x116/0x260 kernel/time/timer.c:1455
__run_timers+0x338/0x3d0 kernel/time/timer.c:1747
run_timer_softirq+0x19/0x30 kernel/time/timer.c:1760
__do_softirq+0x12c/0x2b1 kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0xb2/0xc0 kernel/softirq.c:423
sysvec_apic_timer_interrupt+0x74/0x90 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631
native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
kcsan_setup_watchpoint+0x1ec/0x4d0 kernel/kcsan/core.c:591
skb_zcopy include/linux/skbuff.h:1435 [inline]
skb_orphan_frags include/linux/skbuff.h:2771 [inline]
pskb_expand_head+0x2b2/0x8c0 net/core/skbuff.c:1643
skb_ensure_writable+0x13d/0x1a0 net/core/skbuff.c:5452
__bpf_try_make_writable net/core/filter.c:1654 [inline]
bpf_try_make_writable net/core/filter.c:1660 [inline]
bpf_try_make_head_writable net/core/filter.c:1668 [inline]
____bpf_clone_redirect net/core/filter.c:2442 [inline]
bpf_clone_redirect+0xb6/0x1c0 net/core/filter.c:2420
bpf_prog_bebbfe2050753572+0x56/0x70c
bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
bpf_test_run+0x266/0x450 net/bpf/test_run.c:50
bpf_prog_test_run_skb+0x6f0/0xe70 net/bpf/test_run.c:581
bpf_prog_test_run kernel/bpf/syscall.c:3125 [inline]
__do_sys_bpf+0x39d6/0x9aa0 kernel/bpf/syscall.c:4417
__se_sys_bpf kernel/bpf/syscall.c:4357 [inline]
__x64_sys_bpf+0x3d/0x50 kernel/bpf/syscall.c:4357
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
read-write to 0xffff8881221bb228 of 4 bytes by task 22529 on cpu 0:
__dev_set_promiscuity+0x8c/0x380 net/core/dev.c:8197
dev_set_promiscuity+0x37/0x90 net/core/dev.c:8253
macvlan_change_rx_flags+0xe8/0x100 drivers/net/macvlan.c:769
dev_change_rx_flags net/core/dev.c:8186 [inline]
__dev_set_promiscuity+0x30d/0x380 net/core/dev.c:8230
__dev_change_flags+0x1e8/0x400 net/core/dev.c:8432
rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3123
__rtnl_newlink net/core/rtnetlink.c:3460 [inline]
rtnl_newlink+0xf14/0x13a0 net/core/rtnetlink.c:3500
rtnetlink_rcv_msg+0x723/0x7c0 net/core/rtnetlink.c:5562
netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2494
rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5580
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x5df/0x6b0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x6f8/0x7c0 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0x352/0x4c0 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x1e2/0x260 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg net/socket.c:2447 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2447
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 22529 Comm: syz-executor.4 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 3, 2021, 10:34:16 PM1/3/21
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages