From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753980AbaH2QR6 (ORCPT ); Fri, 29 Aug 2014 12:17:58 -0400 Received: from mail-qc0-f177.google.com ([209.85.216.177]:33580 "EHLO mail-qc0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753616AbaH2QR4 (ORCPT ); Fri, 29 Aug 2014 12:17:56 -0400 Message-ID: <5400A7B0.3060304@gmail.com> Date: Fri, 29 Aug 2014 12:17:52 -0400 From: Vlad Yasevich User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 MIME-Version: 1.0 To: Tommi Rantala , "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , Hannes Frederic Sowa CC: netdev@vger.kernel.org, LKML , trinity@vger.kernel.org, Dave Jones Subject: Re: RTNL: assertion failed at net/ipv6/addrconf.c (1699) References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/29/2014 11:26 AM, Tommi Rantala wrote: > Hi, > > Was fuzzing Linus v3.17-rc2-89-g59753a8 with Trinity as the root user > in qemu, when I hit the following assertion failures. > > Tommi > > > [init] Started watchdog process, PID is 4841 > [main] Main thread is alive. > [ 77.229699] sctp: [Deprecated]: trinity-main (pid 4842) Use of int > in max_burst socket option deprecated. > [ 77.229699] Use struct sctp_assoc_value instead > [ 77.297196] RTNL: assertion failed at net/ipv6/addrconf.c (1699) > [ 77.298080] CPU: 0 PID: 4842 Comm: trinity-main Not tainted 3.17.0-rc2+ #30 > [ 77.299039] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > [ 77.299789] ffff88003d76a618 ffff880026133c50 ffffffff8238ba79 > ffff880037c84520 > [ 77.300829] ffff880026133c90 ffffffff820bd52b 0000000000000000 > ffffffff82d86c40 > [ 77.301869] 0000000000000000 00000000f76fd1e1 ffff8800382d8000 > ffff8800382d8220 > [ 77.302906] Call Trace: > [ 77.303246] [] dump_stack+0x4d/0x66 > [ 77.303928] [] addrconf_join_solict+0x4b/0xb0 > [ 77.304731] [] ipv6_dev_ac_inc+0x2bb/0x330 > [ 77.305498] [] ? ac6_seq_start+0x260/0x260 > [ 77.306257] [] ipv6_sock_ac_join+0x26e/0x360 > [ 77.307046] [] ? ipv6_sock_ac_join+0x99/0x360 > [ 77.307798] [] do_ipv6_setsockopt.isra.5+0xa70/0xf20 > [ 77.308570] [] ? sched_clock_local+0x1d/0x80 > [ 77.309260] [] ? kvm_clock_read+0x27/0x40 > [ 77.309915] [] ? sched_clock+0x9/0x10 > [ 77.310537] [] ? sock_has_perm+0x168/0x1e0 > [ 77.311204] [] ? sched_clock_cpu+0xa8/0xf0 > [ 77.311866] [] ? local_clock+0x1b/0x30 > [ 77.312501] [] ? lock_release_holdtime+0x1d/0x170 > [ 77.313241] [] ? sock_has_perm+0x180/0x1e0 > [ 77.313905] [] ? > selinux_msg_queue_alloc_security+0xa0/0xa0 > [ 77.314746] [] ipv6_setsockopt+0x53/0xb0 > [ 77.315397] [] udpv6_setsockopt+0x25/0x30 > [ 77.316058] [] sock_common_setsockopt+0xf/0x20 > [ 77.316764] [] SyS_setsockopt+0x8e/0xd0 > [ 77.317406] [] system_call_fastpath+0x16/0x1b > [main] 375 sockets created based on info from socket cachefile. > [main] Generating file descriptors > [main] Added 129 filenames from /dev > [main] Added 44048 filenames from /proc > [main] Added 18192 filenames from /sys > [main] Enabled 9 fd providers. > [watchdog] Watchdog is alive. (pid:4841) > [child3:4846] finit_module (313) returned ENOSYS, marking as inactive. > [child1:4844] kcmp (312) returned ENOSYS, marking as inactive. > [child2:4845] uselib (134) returned ENOSYS, marking as inactive. > [child1:4844] nfsservctl (180) returned ENOSYS, marking as inactive. > [child2:4845] delete_module (129:[32BIT]) returned ENOSYS, marking as inactive. > [child2:4845] init_module (175) returned ENOSYS, marking as inactive. > [ 84.126609] trinity-c7: vm86 mode not supported on 64 bit kernel > [child7:4850] vm86 (166:[32BIT]) returned ENOSYS, marking as inactive. > [main] Bailing main loop because ctrl-c. > [ 84.345840] RTNL: assertion failed at net/ipv6/addrconf.c (1712) > [ 84.346615] CPU: 0 PID: 4842 Comm: trinity-main Not tainted 3.17.0-rc2+ #30 > [ 84.347426] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > [ 84.348102] ffff88003d76a618 ffff880026133d10 ffffffff8238ba79 > ffff8800382d8000 > [ 84.349018] ffff880026133d50 ffffffff820bd5db ffffffff81141555 > ffff8800382d8220 > [ 84.349935] ffff8800382d8000 00000000f76fd1e1 ffff88003d76a618 > ffff8800382d8000 > [ 84.350848] Call Trace: > [ 84.351149] [] dump_stack+0x4d/0x66 > [ 84.351751] [] addrconf_leave_solict+0x4b/0xb0 > [ 84.352574] [] ? __local_bh_enable_ip+0xa5/0xf0 > [ 84.353315] [] __ipv6_dev_ac_dec+0xc3/0x140 > [ 84.354019] [] ipv6_dev_ac_dec+0x98/0xb0 > [ 84.354687] [] ipv6_sock_ac_close+0x10d/0x1a0 > [ 84.355410] [] ? ipv6_sock_ac_close+0x2e/0x1a0 > [ 84.356147] [] inet6_release+0x23/0x40 > [ 84.356789] [] sock_release+0x14/0x80 > [ 84.357410] [] sock_close+0xd/0x20 > [ 84.358042] [] __fput+0x111/0x1e0 > [ 84.358622] [] ____fput+0x9/0x10 > [ 84.359196] [] task_work_run+0x9e/0xd0 > [ 84.359825] [] do_exit+0x456/0xb30 > [ 84.360419] [] ? retint_swapgs+0x13/0x1b > [ 84.361075] [] do_group_exit+0x84/0xd0 > [ 84.361705] [] SyS_exit_group+0xf/0x10 > [ 84.362338] [] system_call_fastpath+0x16/0x1b > [watchdog] [4841] Watchdog exiting because ctrl-c. > [init] Ran 775 syscalls. Successes: 179 Failures: 596 > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Yep, looks like ipv6_dev_ac_inc() and __ipv6_dev_ac_dec() are called without RNTL in the socket option path and with RTNL in the address configuration path. So it look like this this can actually trigger list corruptions. -vlad