Re: [syzbot] [net?] KCSAN: data-race in ipv6_mc_down / mld_ifc_work (2)

From: Taehee Yoo <ap420073@gmail.com>
To: Eric Dumazet <edumazet@google.com>,
	syzbot <syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KCSAN: data-race in ipv6_mc_down / mld_ifc_work (2)
Date: Sat, 13 Jan 2024 01:16:23 +0900	[thread overview]
Message-ID: <baa1f1e8-7fa6-fadf-584f-71f9d0b3dcdb@gmail.com> (raw)
In-Reply-To: <CANn89iKar6cuJAdQbL2n9vYWRL=yMQBEahfhXNVFNa0aax9OsQ@mail.gmail.com>

On 1/12/24 21:01, Eric Dumazet wrote:

Hi Eric,
Thank you for the report!

 > On Fri, Jan 12, 2024 at 11:10 AM syzbot
 > <syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com> wrote:
 >>
 >> Hello,
 >>
 >> syzbot found the following issue on:
 >>
 >> HEAD commit: 8735c7c84d1b Merge tag '6.7rc7-smb3-srv-fix' of 
git://git...
 >> git tree: upstream
 >> console output: https://syzkaller.appspot.com/x/log.txt?x=17948c9ae80000
 >> kernel config: 
https://syzkaller.appspot.com/x/.config?x=4da1e2da456c3a7d
 >> dashboard link: 
https://syzkaller.appspot.com/bug?extid=a9400cabb1d784e49abf
 >> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for 
Debian) 2.40
 >>
 >> Unfortunately, I don't have any reproducer for this issue yet.
 >>
 >> Downloadable assets:
 >> disk image: 
https://storage.googleapis.com/syzbot-assets/f263d974af01/disk-8735c7c8.raw.xz
 >> vmlinux: 
https://storage.googleapis.com/syzbot-assets/9faf34fc0b3e/vmlinux-8735c7c8.xz
 >> kernel image: 
https://storage.googleapis.com/syzbot-assets/0b52a58ecd0e/bzImage-8735c7c8.xz
 >>
 >> IMPORTANT: if you fix the issue, please add the following tag to the 
commit:
 >> Reported-by: syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com
 >>
 >> ==================================================================
 >> BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work
 >>
 >> write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:
 >> mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]
 >> ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725
 >> addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949
 >> addrconf_notify+0x310/0x980
 >> notifier_call_chain kernel/notifier.c:93 [inline]
 >> raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
 >> __dev_notify_flags+0x205/0x3d0
 >> dev_change_flags+0xab/0xd0 net/core/dev.c:8685
 >> do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916
 >> rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]
 >> __rtnl_newlink net/core/rtnetlink.c:3717 [inline]
 >> rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754
 >> rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558
 >> netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545
 >> rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576
 >> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
 >> netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368
 >> netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910
 >> sock_sendmsg_nosec net/socket.c:730 [inline]
 >> __sock_sendmsg net/socket.c:745 [inline]
 >> ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2584
 >> ___sys_sendmsg net/socket.c:2638 [inline]
 >> __sys_sendmsg+0x1e9/0x270 net/socket.c:2667
 >> __do_sys_sendmsg net/socket.c:2676 [inline]
 >> __se_sys_sendmsg net/socket.c:2674 [inline]
 >> __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 >> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 >> entry_SYSCALL_64_after_hwframe+0x63/0x6b
 >>
 >> write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:
 >> mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653
 >> process_one_work kernel/workqueue.c:2627 [inline]
 >> process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
 >> worker_thread+0x525/0x730 kernel/workqueue.c:2781
 >> kthread+0x1d7/0x210 kernel/kthread.c:388
 >> ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 >> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 >>
 >> value changed: 0x02 -> 0x00
 >>
 >> Reported by Kernel Concurrency Sanitizer on:
 >> CPU: 1 PID: 22 Comm: kworker/1:0 Not tainted 
6.7.0-rc7-syzkaller-00029-g8735c7c84d1b #0
 >> Hardware name: Google Google Compute Engine/Google Compute Engine, 
BIOS Google 11/17/2023
 >> Workqueue: mld mld_ifc_work
 >> ==================================================================
 >>
 >>
 >> ---
 >> This report is generated by a bot. It may contain errors.
 >> See https://goo.gl/tpsmEJ for more information about syzbot.
 >> syzbot engineers can be reached at syzkaller@googlegroups.com.
 >>
 >> syzbot will keep track of this issue. See:
 >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
 >>
 >> If the report is already addressed, let syzbot know by replying with:
 >> #syz fix: exact-commit-title
 >>
 >> If you want to overwrite report's subsystems, reply with:
 >> #syz set subsystems: new-subsystem
 >> (See the list of subsystem names on the web dashboard)
 >>
 >> If the report is a duplicate of another one, reply with:
 >> #syz dup: exact-subject-of-another-report
 >>
 >> If you want to undo deduplication, reply with:
 >> #syz undup
 >
 > Bug added in
 >
 > commit 63ed8de4be81b699ca727e9f8e3344bd487806d7
 > Author: Taehee Yoo <ap420073@gmail.com>
 > Date: Thu Mar 25 16:16:57 2021 +0000
 >
 > mld: add mc_lock for protecting per-interface mld data
 >
 >
 > ipv6_mc_down() calls mld_ifc_stop_work() while mc_lock is not held.

Thanks a lot for the analysis, I will look into this.

Thanks a lot!
Taehee Yoo