* [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
@ 2024-03-06 10:57 syzbot
2024-03-08 10:50 ` Hillf Danton
` (6 more replies)
0 siblings, 7 replies; 16+ messages in thread
From: syzbot @ 2024-03-06 10:57 UTC (permalink / raw)
To: davem, dsahern, edumazet, fw, kadlec, kuba, linux-kernel, netdev,
netfilter-devel, pabeni, pablo, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14e106ac180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fad652894fc96962
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d490ca180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/17c4652fa589/disk-805d849d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7fc3b5760ca4/vmlinux-805d849d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d88bfccc316a/bzImage-805d849d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e5167d7144a62715044c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in sk_fullsock include/net/sock.h:2823 [inline]
BUG: KASAN: slab-use-after-free in ip_skb_dst_mtu+0x830/0x9b0 include/net/ip.h:499
Read of size 1 at addr ffff88802dc5a012 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc6-syzkaller-00037-g805d849d7c3c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x167/0x540 mm/kasan/report.c:488
kasan_report+0x142/0x180 mm/kasan/report.c:601
sk_fullsock include/net/sock.h:2823 [inline]
ip_skb_dst_mtu+0x830/0x9b0 include/net/ip.h:499
__ip_finish_output+0x12b/0x400 net/ipv4/ip_output.c:306
ipvlan_process_v4_outbound+0x3ef/0x700 drivers/net/ipvlan/ipvlan_core.c:442
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:540 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
ipvlan_queue_xmit+0xaa2/0x11f0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_start_xmit+0x4a/0x150 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3563
sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0xbed/0x2150 net/sched/sch_generic.c:415
qdisc_run+0xda/0x270 include/net/pkt_sched.h:125
net_tx_action+0x877/0xa30 net/core/dev.c:5197
__do_softirq+0x2bb/0x942 kernel/softirq.c:553
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
@ 2024-03-08 10:50 ` Hillf Danton
2024-03-08 11:09 ` syzbot
2024-03-08 12:15 ` Hillf Danton
` (5 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-08 10:50 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,10 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-08 10:50 ` Hillf Danton
@ 2024-03-08 11:09 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-08 11:09 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: null-ptr-deref Write in ipvlan_process_v4_outbound
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:182 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:239 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:256 [inline]
BUG: KASAN: null-ptr-deref in ipvlan_process_v4_outbound+0x3f6/0x7b0 drivers/net/ipvlan/ipvlan_core.c:444
Write of size 4 at addr 0000000000000274 by task syz-executor.0/5580
CPU: 0 PID: 5580 Comm: syz-executor.0 Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_report+0xe6/0x540 mm/kasan/report.c:491
kasan_report+0x142/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:182 [inline]
__refcount_inc include/linux/refcount.h:239 [inline]
refcount_inc include/linux/refcount.h:256 [inline]
ipvlan_process_v4_outbound+0x3f6/0x7b0 drivers/net/ipvlan/ipvlan_core.c:444
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:544 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:606 [inline]
ipvlan_queue_xmit+0xaa2/0x11f0 drivers/net/ipvlan/ipvlan_core.c:672
ipvlan_start_xmit+0x4a/0x150 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4986 [inline]
netdev_start_xmit include/linux/netdevice.h:5000 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3563
sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0xbed/0x2150 net/sched/sch_generic.c:415
__dev_xmit_skb net/core/dev.c:3839 [inline]
__dev_queue_xmit+0xfc6/0x3b10 net/core/dev.c:4317
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x47f4/0x6240 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f5d1287dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5d136b40c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f5d129abf80 RCX: 00007f5d1287dda9
RDX: 0000000000005c13 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f5d128ca47a R08: 0000000000000000 R09: 000000000000002f
R10: 0000000000000806 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f5d129abf80 R15: 00007fffdca46778
</TASK>
==================================================================
Tested on:
commit: 3aaa8ce7 Merge tag 'mm-hotfixes-stable-2024-03-07-16-1..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12503a49180000
kernel config: https://syzkaller.appspot.com/x/.config?x=165e1d0fff4d3c47
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=154b4001180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
2024-03-08 10:50 ` Hillf Danton
@ 2024-03-08 12:15 ` Hillf Danton
2024-03-08 13:00 ` syzbot
2024-03-08 23:14 ` Hillf Danton
` (4 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-08 12:15 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-08 12:15 ` Hillf Danton
@ 2024-03-08 13:00 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-08 13:00 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in switchdev_deferred_process_work
INFO: task kworker/1:1:27 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1 state:D stack:19352 pid:27 tgid:27 ppid:2 flags:0x00004000
Workqueue: events switchdev_deferred_process_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task kworker/0:2:781 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:2 state:D stack:22584 pid:781 tgid:781 ppid:2 flags:0x00004000
Workqueue: events linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
linkwatch_event+0xe/0x60 net/core/link_watch.c:281
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task dhcpcd:4736 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd state:D stack:20952 pid:4736 tgid:4736 ppid:4735 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
devinet_ioctl+0x2ce/0x1bc0 net/ipv4/devinet.c:1091
inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1000
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:857
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fbee8a8ed49
RSP: 002b:00007ffd87e02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fbee89c06c0 RCX: 00007fbee8a8ed49
RDX: 00007ffd87e131a8 RSI: 0000000000008914 RDI: 0000000000000018
RBP: 00007ffd87e23368 R08: 00007ffd87e13168 R09: 00007ffd87e13118
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd87e131a8 R14: 0000000000000028 R15: 0000000000008914
</TASK>
INFO: task syz-executor.0:14966 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:20984 pid:14966 tgid:14966 ppid:1 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fd058e7fa9c
RSP: 002b:00007ffd38f21060 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fd059ad4620 RCX: 00007fd058e7fa9c
RDX: 000000000000006c RSI: 00007fd059ad4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffd38f210b4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fd059ad4670 R15: 0000000000000000
</TASK>
Showing all locks held in the system:
3 locks held by kworker/1:0/23:
#0: ffff8880299f1138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff8880299f1138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc900001d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc900001d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4686
3 locks held by kworker/1:1/27:
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90000a2fd20 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90000a2fd20 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
1 lock held by khungtaskd/30:
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
5 locks held by kworker/u4:5/308:
#0: ffff888015ea4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888015ea4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90002f3fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90002f3fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f369810 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf5/0xb90 net/core/net_namespace.c:580
#3: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xe8/0x9d0 net/core/dev.c:11583
#4: ffffffff8e136578 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:292 [inline]
#4: ffffffff8e136578 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:995
3 locks held by kworker/0:2/781:
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc9000430fd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc9000430fd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
3 locks held by kworker/0:3/1150:
#0: ffff8880299f1138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff8880299f1138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90004a57d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90004a57d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4686
1 lock held by dhcpcd/4736:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x2ce/0x1bc0 net/ipv4/devinet.c:1091
2 locks held by getty/4819:
#0: ffff88802a0830a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b4/0x1e10 drivers/tty/n_tty.c:2201
2 locks held by kworker/0:4/5085:
#0: ffff888014c7a538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c7a538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90003ccfd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90003ccfd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
1 lock held by syz-executor.0/14966:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
1 lock held by syz-executor.0/14990:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
1 lock held by syz-executor.0/14997:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 30 Comm: khungtaskd Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xfaf/0xff0 kernel/hung_task.c:379
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 4504 Comm: syslogd Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:__preempt_count_add kernel/rcu/tree.c:696 [inline]
RIP: 0010:rcu_is_watching+0x6/0xb0 kernel/rcu/tree.c:699
Code: 5e 03 e9 2b ff ff ff e8 e8 49 ec 09 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 <41> 56 53 65 ff 05 28 eb 88 7e e8 eb 67 ec 09 89 c3 83 f8 08 73 7a
RSP: 0018:ffffc9000312fbf0 EFLAGS: 00000257
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff81711844
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8f856c28
RBP: ffffc9000312fd58 R08: ffffffff8f856c2f R09: 1ffffffff1f0ad85
R10: dffffc0000000000 R11: fffffbfff1f0ad86 R12: 1ffff92000625f88
R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff1100fc3c0a5
FS: 00007ff39ead3380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ba48cdb0a8 CR3: 0000000028d0c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0xe3/0x530 kernel/locking/lockdep.c:5725
__might_fault+0xc5/0x120 mm/memory.c:6080
clear_rseq_cs kernel/rseq.c:257 [inline]
rseq_ip_fixup kernel/rseq.c:291 [inline]
__rseq_handle_notify_resume+0x625/0x1490 kernel/rseq.c:329
rseq_handle_notify_resume include/linux/rseq.h:38 [inline]
resume_user_mode_work include/linux/resume_user_mode.h:62 [inline]
exit_to_user_mode_loop kernel/entry/common.c:108 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x113/0x360 kernel/entry/common.c:212
do_syscall_64+0x108/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7ff39ec27b6a
Code: 00 3d 00 00 41 00 75 0d 50 48 8d 3d 2d 08 0a 00 e8 ea 7d 01 00 31 c0 e9 07 ff ff ff 64 8b 04 25 18 00 00 00 85 c0 75 1b 0f 05 <48> 3d 00 f0 ff ff 76 6c 48 8b 15 8f a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffeec16bd38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: 0000000000000088 RBX: 0000000000000002 RCX: 00007ff39ec27b6a
RDX: 00000000000000ff RSI: 0000561d21dae950 RDI: 0000000000000000
RBP: 0000561d21dae910 R08: 0000000000000001 R09: 0000000000000000
R10: 00007ff39edc63a3 R11: 0000000000000246 R12: 0000561d21dae999
R13: 0000561d21dae950 R14: 0000000000000000 R15: 00007ff39ee04a80
</TASK>
Tested on:
commit: 3aaa8ce7 Merge tag 'mm-hotfixes-stable-2024-03-07-16-1..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14ee84d1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=165e1d0fff4d3c47
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1242f756180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
2024-03-08 10:50 ` Hillf Danton
2024-03-08 12:15 ` Hillf Danton
@ 2024-03-08 23:14 ` Hillf Danton
2024-03-09 1:32 ` syzbot
2024-03-09 4:53 ` Hillf Danton
` (3 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-08 23:14 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-08 23:14 ` Hillf Danton
@ 2024-03-09 1:32 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-09 1:32 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
sbcore: registered new interface driver dln2
[ 8.758756][ T1] usbcore: registered new interface driver pn533_usb
[ 8.766300][ T1] nfcsim 0.2 initialized
[ 8.767501][ T1] usbcore: registered new interface driver port100
[ 8.769021][ T1] usbcore: registered new interface driver nfcmrvl
[ 8.777559][ T1] Loading iSCSI transport class v2.0-870.
[ 8.798614][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 8.809823][ T1] ------------[ cut here ]------------
[ 8.810772][ T1] refcount_t: decrement hit 0; leaking memory.
[ 8.812057][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 8.813796][ T1] Modules linked in:
[ 8.814366][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc7-next-20240308-syzkaller-g8ffc8b1bbd50-dirty #0
[ 8.816583][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 8.821133][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.822500][ T1] Code: b2 00 00 00 e8 a7 e3 ec fc 5b 5d c3 cc cc cc cc e8 9b e3 ec fc c6 05 16 be ea 0a 01 90 48 c7 c7 60 ab 1e 8c e8 17 b9 af fc 90 <0f> 0b 90 90 eb d9 e8 7b e3 ec fc c6 05 f3 bd ea 0a 01 90 48 c7 c7
[ 8.825856][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.826703][ T1] RAX: f37710c6fdfb4400 RBX: ffff8881472e256c RCX: ffff8880166d8000
[ 8.828285][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.829591][ T1] RBP: 0000000000000004 R08: ffffffff8157d172 R09: fffffbfff1c39614
[ 8.831826][ T1] R10: dffffc0000000000 R11: fffffbfff1c39614 R12: ffffea0000851dc0
[ 8.833304][ T1] R13: ffffea0000851dc8 R14: 1ffffd400010a3b9 R15: 0000000000000000
[ 8.834541][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 8.836062][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.837282][ T1] CR2: ffff88823ffff000 CR3: 000000000e132000 CR4: 00000000003506f0
[ 8.839016][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8.840940][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8.842607][ T1] Call Trace:
[ 8.843365][ T1] <TASK>
[ 8.843855][ T1] ? __warn+0x163/0x4b0
[ 8.844635][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.846182][ T1] ? report_bug+0x2b3/0x500
[ 8.847620][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.848738][ T1] ? handle_bug+0x3e/0x70
[ 8.849656][ T1] ? exc_invalid_op+0x1a/0x50
[ 8.851094][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 8.852147][ T1] ? __warn_printk+0x292/0x360
[ 8.853031][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.853917][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.854722][ T1] __free_pages_ok+0xc42/0xd70
[ 8.855417][ T1] make_alloc_exact+0xa3/0xf0
[ 8.856076][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.856911][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.857795][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.858505][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.859456][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.860939][ T1] ? really_probe+0x29e/0xc50
[ 8.862246][ T1] ? driver_probe_device+0x50/0x430
[ 8.863277][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.864213][ T1] ? ret_from_fork+0x4b/0x80
[ 8.864929][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.865989][ T1] vring_create_virtqueue+0xca/0x110
[ 8.867234][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.868277][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.869236][ T1] setup_vq+0xe9/0x2d0
[ 8.869960][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.870658][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.871551][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.872622][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.873697][ T1] vp_setup_vq+0xbf/0x330
[ 8.874450][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 8.875667][ T1] ? ioread16+0x2f/0x90
[ 8.876346][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.877234][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 8.878105][ T1] vp_find_vqs+0x4c/0x4e0
[ 8.879082][ T1] virtscsi_init+0x8db/0xd00
[ 8.880685][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 8.882808][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 8.883806][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 8.885078][ T1] ? vp_get+0xfd/0x140
[ 8.886204][ T1] virtscsi_probe+0x3ea/0xf60
[ 8.887594][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 8.888451][ T1] ? kernfs_add_one+0x156/0x8b0
[ 8.889293][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 8.890605][ T1] ? virtio_features_ok+0x10c/0x270
[ 8.891781][ T1] virtio_dev_probe+0x991/0xaf0
[ 8.893220][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 8.894284][ T1] really_probe+0x29e/0xc50
[ 8.895013][ T1] __driver_probe_device+0x1a2/0x3e0
[ 8.896119][ T1] driver_probe_device+0x50/0x430
[ 8.897148][ T1] __driver_attach+0x45f/0x710
[ 8.898234][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.899310][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.900535][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.902736][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.903955][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 8.905323][ T1] bus_add_driver+0x347/0x620
[ 8.906778][ T1] driver_register+0x23a/0x320
[ 8.907994][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.909607][ T1] virtio_scsi_init+0x65/0xe0
[ 8.910777][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.912214][ T1] do_one_initcall+0x238/0x830
[ 8.913543][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.914984][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.916819][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.917969][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.919098][ T1] ? do_initcalls+0x1c/0x80
[ 8.919909][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.920983][ T1] do_initcall_level+0x157/0x210
[ 8.922112][ T1] do_initcalls+0x3f/0x80
[ 8.923091][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.924601][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.926232][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.928164][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.929328][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.930562][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.931742][ T1] kernel_init+0x1d/0x2b0
[ 8.932479][ T1] ret_from_fork+0x4b/0x80
[ 8.933443][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.934667][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.936510][ T1] </TASK>
[ 8.937427][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 8.939173][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc7-next-20240308-syzkaller-g8ffc8b1bbd50-dirty #0
[ 8.942655][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 8.945439][ T1] Call Trace:
[ 8.946072][ T1] <TASK>
[ 8.946896][ T1] dump_stack_lvl+0x241/0x360
[ 8.947396][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.947396][ T1] ? __pfx__printk+0x10/0x10
[ 8.947396][ T1] ? _printk+0xd5/0x120
[ 8.947396][ T1] ? vscnprintf+0x5d/0x90
[ 8.947396][ T1] panic+0x349/0x860
[ 8.947396][ T1] ? __warn+0x172/0x4b0
[ 8.947396][ T1] ? __pfx_panic+0x10/0x10
[ 8.957077][ T1] ? show_trace_log_lvl+0x4e6/0x520
[ 8.957077][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 8.957077][ T1] __warn+0x31e/0x4b0
[ 8.957077][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.957077][ T1] report_bug+0x2b3/0x500
[ 8.957077][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.957077][ T1] handle_bug+0x3e/0x70
[ 8.967207][ T1] exc_invalid_op+0x1a/0x50
[ 8.967207][ T1] asm_exc_invalid_op+0x1a/0x20
[ 8.967207][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.967207][ T1] Code: b2 00 00 00 e8 a7 e3 ec fc 5b 5d c3 cc cc cc cc e8 9b e3 ec fc c6 05 16 be ea 0a 01 90 48 c7 c7 60 ab 1e 8c e8 17 b9 af fc 90 <0f> 0b 90 90 eb d9 e8 7b e3 ec fc c6 05 f3 bd ea 0a 01 90 48 c7 c7
[ 8.977080][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.977080][ T1] RAX: f37710c6fdfb4400 RBX: ffff8881472e256c RCX: ffff8880166d8000
[ 8.977080][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.977080][ T1] RBP: 0000000000000004 R08: ffffffff8157d172 R09: fffffbfff1c39614
[ 8.977080][ T1] R10: dffffc0000000000 R11: fffffbfff1c39614 R12: ffffea0000851dc0
[ 8.977080][ T1] R13: ffffea0000851dc8 R14: 1ffffd400010a3b9 R15: 0000000000000000
[ 8.987200][ T1] ? __warn_printk+0x292/0x360
[ 8.987200][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.987200][ T1] __free_pages_ok+0xc42/0xd70
[ 8.987200][ T1] make_alloc_exact+0xa3/0xf0
[ 8.987200][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.987200][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.987200][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.987200][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.987200][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.997075][ T1] ? really_probe+0x29e/0xc50
[ 8.997075][ T1] ? driver_probe_device+0x50/0x430
[ 8.997075][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.997075][ T1] ? ret_from_fork+0x4b/0x80
[ 8.997075][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.997075][ T1] vring_create_virtqueue+0xca/0x110
[ 8.997075][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.997075][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.997075][ T1] setup_vq+0xe9/0x2d0
[ 8.997075][ T1] ? __pfx_vp_notify+0x10/0x10
[ 9.007200][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 9.007200][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 9.007200][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 9.007200][ T1] vp_setup_vq+0xbf/0x330
[ 9.007200][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 9.007200][ T1] ? ioread16+0x2f/0x90
[ 9.007200][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 9.007200][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 9.007200][ T1] vp_find_vqs+0x4c/0x4e0
[ 9.017081][ T1] virtscsi_init+0x8db/0xd00
[ 9.017081][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 9.017081][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 9.017081][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 9.017081][ T1] ? vp_get+0xfd/0x140
[ 9.017081][ T1] virtscsi_probe+0x3ea/0xf60
[ 9.017081][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 9.027229][ T1] ? kernfs_add_one+0x156/0x8b0
[ 9.027229][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 9.027229][ T1] ? virtio_features_ok+0x10c/0x270
[ 9.027229][ T1] virtio_dev_probe+0x991/0xaf0
[ 9.027229][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 9.027229][ T1] really_probe+0x29e/0xc50
[ 9.027229][ T1] __driver_probe_device+0x1a2/0x3e0
[ 9.037078][ T1] driver_probe_device+0x50/0x430
[ 9.037078][ T1] __driver_attach+0x45f/0x710
[ 9.037078][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.037078][ T1] bus_for_each_dev+0x239/0x2b0
[ 9.037078][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.037078][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 9.037078][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 9.037078][ T1] bus_add_driver+0x347/0x620
[ 9.037078][ T1] driver_register+0x23a/0x320
[ 9.047213][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 9.047213][ T1] virtio_scsi_init+0x65/0xe0
[ 9.047213][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 9.047213][ T1] do_one_initcall+0x238/0x830
[ 9.047213][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 9.047213][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.047213][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 9.047213][ T1] ? __pfx_parse_args+0x10/0x10
[ 9.057088][ T1] ? do_initcalls+0x1c/0x80
[ 9.057088][ T1] ? rcu_is_watching+0x15/0xb0
[ 9.057088][ T1] do_initcall_level+0x157/0x210
[ 9.057088][ T1] do_initcalls+0x3f/0x80
[ 9.057088][ T1] kernel_init_freeable+0x435/0x5d0
[ 9.057088][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 9.057088][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.057088][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.067209][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.067209][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.067209][ T1] kernel_init+0x1d/0x2b0
[ 9.067209][ T1] ret_from_fork+0x4b/0x80
[ 9.067209][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.067209][ T1] ret_from_fork_asm+0x1a/0x30
[ 9.067209][ T1] </TASK>
[ 9.067209][ T1] Kernel Offset: disabled
[ 9.067209][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3507553695=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 352ab9047
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=352ab9047be19ed1d8367b9113b7bde280c90124 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240228-135607'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=352ab9047be19ed1d8367b9113b7bde280c90124 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240228-135607'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=352ab9047be19ed1d8367b9113b7bde280c90124 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240228-135607'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"352ab9047be19ed1d8367b9113b7bde280c90124\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=142c94da180000
Tested on:
commit: 8ffc8b1b Add linux-next specific files for 20240308
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=9f21b6530bb238b3
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=148a3de1180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
` (2 preceding siblings ...)
2024-03-08 23:14 ` Hillf Danton
@ 2024-03-09 4:53 ` Hillf Danton
2024-03-09 5:19 ` syzbot
2024-03-09 8:45 ` Hillf Danton
` (2 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-09 4:53 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git stable
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-09 4:53 ` Hillf Danton
@ 2024-03-09 5:19 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-09 5:19 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in switchdev_deferred_process_work
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:22136 pid:9 tgid:9 ppid:2 flags:0x00004000
Workqueue: events switchdev_deferred_process_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task kworker/1:2:930 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2 state:D stack:21656 pid:930 tgid:930 ppid:2 flags:0x00004000
Workqueue: events linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
linkwatch_event+0xe/0x60 net/core/link_watch.c:281
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task dhcpcd:4736 blocked for more than 143 seconds.
Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd state:D stack:20504 pid:4736 tgid:4736 ppid:4735 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f4199ba6a4b
RSP: 002b:00007fff84cbbcc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f4199ace6c0 RCX: 00007f4199ba6a4b
RDX: 0000000000000000 RSI: 00007fff84ccfe78 RDI: 0000000000000018
RBP: 0000000000000018 R08: 0000000000000000 R09: 00007fff84ccfe78
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 00007fff84ccfe78 R14: 0000000000000030 R15: 0000000000000001
</TASK>
INFO: task syz-executor.0:14964 blocked for more than 144 seconds.
Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:20984 pid:14964 tgid:14964 ppid:1 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f49d9c7fa9c
RSP: 002b:00007ffe9fe96940 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f49da8d4620 RCX: 00007f49d9c7fa9c
RDX: 000000000000003c RSI: 00007f49da8d4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffe9fe96994 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f49da8d4670 R15: 0000000000000000
</TASK>
Showing all locks held in the system:
3 locks held by kworker/0:0/8:
#0: ffff888029cdbd38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888029cdbd38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4686
3 locks held by kworker/0:1/9:
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc900000e7d20 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc900000e7d20 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
1 lock held by khungtaskd/29:
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8e130be0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
2 locks held by kworker/u4:2/42:
#0: ffff8880b953c958 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
#1: ffff8880b9528988 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x441/0x770 kernel/sched/psi.c:988
3 locks held by kworker/1:2/930:
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c78938 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc900042e7d20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc900042e7d20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
5 locks held by kworker/u4:7/1097:
#0: ffff888015ea4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888015ea4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc9000495fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc9000495fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f369810 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf5/0xb90 net/core/net_namespace.c:580
#3: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xe8/0x9d0 net/core/dev.c:11583
#4: ffffffff8e136578 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:292 [inline]
#4: ffffffff8e136578 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:995
1 lock held by dhcpcd/4736:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
3 locks held by kworker/1:3/4809:
#0: ffff888029cdbd38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888029cdbd38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc9000356fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc9000356fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4686
2 locks held by getty/4822:
#0: ffff88802a4a50a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b4/0x1e10 drivers/tty/n_tty.c:2201
2 locks held by kworker/1:6/5082:
#0: ffff888014c7a538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c7a538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90004217d20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90004217d20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
1 lock held by syz-executor.0/14964:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
1 lock held by syz-executor.0/14988:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
1 lock held by syz-executor.0/14995:
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f375d88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6614
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xfaf/0xff0 kernel/hung_task.c:379
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 270 Comm: kworker/u4:5 Not tainted 6.8.0-rc7-syzkaller-gc381c89de180-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:get_current arch/x86/include/asm/current.h:42 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:235 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x8/0x90 kernel/kcov.c:304
Code: 0a 20 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 4c 8b 04 24 <65> 48 8b 15 b0 4b 70 7e 65 8b 05 b1 4b 70 7e a9 00 01 ff 00 74 10
RSP: 0018:ffffc9000316f758 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff9200062df35 RCX: ffff88801e230000
RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000000
RBP: ffffc9000316f9ac R08: ffffffff8b63c78f R09: 0000000000000000
R10: ffffc9000316f960 R11: fffff5200062df37 R12: ffffc9000316f960
R13: 0000000000004000 R14: ffffc9000316f984 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d14f5ec028 CR3: 000000000df32000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
insn_get_modrm+0xbf/0x7a0 arch/x86/lib/insn.c:348
insn_get_sib arch/x86/lib/insn.c:421 [inline]
insn_get_displacement+0x13e/0x980 arch/x86/lib/insn.c:464
insn_get_immediate+0x382/0x13e0 arch/x86/lib/insn.c:632
insn_get_length arch/x86/lib/insn.c:707 [inline]
insn_decode+0x370/0x500 arch/x86/lib/insn.c:747
text_poke_loc_init+0xed/0x870 arch/x86/kernel/alternative.c:2401
arch_jump_label_transform_queue+0x8f/0x100 arch/x86/kernel/jump_label.c:138
__jump_label_update+0x177/0x3a0 kernel/jump_label.c:475
static_key_disable_cpuslocked+0xce/0x1c0 kernel/jump_label.c:235
static_key_disable+0x1a/0x20 kernel/jump_label.c:243
toggle_allocation_gate+0x1b8/0x250 mm/kfence/core.c:831
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Tested on:
commit: c381c89d Merge tag 'spi-fix-v6.8-rc7' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git stable
console output: https://syzkaller.appspot.com/x/log.txt?x=13ede469180000
kernel config: https://syzkaller.appspot.com/x/.config?x=c11c5c676adb61f0
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16e50da6180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
` (3 preceding siblings ...)
2024-03-09 4:53 ` Hillf Danton
@ 2024-03-09 8:45 ` Hillf Danton
2024-03-09 9:13 ` syzbot
2024-03-16 9:00 ` Hillf Danton
2024-03-17 10:04 ` Hillf Danton
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-09 8:45 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://github.com/fbq/linux.git rcu-exp.2024.01.29b
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-09 8:45 ` Hillf Danton
@ 2024-03-09 9:13 ` syzbot
2024-03-09 10:19 ` Hillf Danton
0 siblings, 1 reply; 16+ messages in thread
From: syzbot @ 2024-03-09 9:13 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in switchdev_deferred_process_work
INFO: task kworker/1:2:783 blocked for more than 143 seconds.
Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2 state:D stack:21872 pid:783 tgid:783 ppid:2 flags:0x00004000
Workqueue: events switchdev_deferred_process_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:75
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
INFO: task dhcpcd:4739 blocked for more than 143 seconds.
Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd state:D stack:20952 pid:4739 tgid:4739 ppid:4738 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f85a0637a4b
RSP: 002b:00007ffebbd31e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f85a055f6c0 RCX: 00007f85a0637a4b
RDX: 0000000000000000 RSI: 00007ffebbd46018 RDI: 000000000000000f
RBP: 000000000000000f R08: 0000000000000000 R09: 00007ffebbd46018
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 00007ffebbd46018 R14: 0000000000000030 R15: 0000000000000001
</TASK>
INFO: task kworker/0:3:5086 blocked for more than 143 seconds.
Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:3 state:D stack:21872 pid:5086 tgid:5086 ppid:2 flags:0x00004000
Workqueue: events linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
linkwatch_event+0xe/0x60 net/core/link_watch.c:281
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
INFO: task syz-executor.0:14954 blocked for more than 144 seconds.
Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:19888 pid:14954 tgid:14954 ppid:1 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0x149/0x260 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f2a1c07fa9c
RSP: 002b:00007ffc5dd132a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f2a1ccd4620 RCX: 00007f2a1c07fa9c
RDX: 0000000000000028 RSI: 00007f2a1ccd4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffc5dd132f4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f2a1ccd4670 R15: 0000000000000000
</TASK>
Showing all locks held in the system:
3 locks held by kworker/0:1/8:
#0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4671
1 lock held by khungtaskd/29:
#0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
5 locks held by kworker/u4:5/146:
#0: ffff8880162f0938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff8880162f0938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90002e6fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90002e6fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f3673d0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf5/0xb90 net/core/net_namespace.c:580
#3: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xdb/0x650 net/core/dev.c:11596
#4: ffffffff8e136278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:291 [inline]
#4: ffffffff8e136278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x39a/0x820 kernel/rcu/tree_exp.h:939
3 locks held by kworker/1:2/783:
#0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc9000408fd20 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc9000408fd20 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:75
1 lock held by dhcpcd/4739:
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
2 locks held by getty/4822:
#0: ffff88802b64a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f162f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b4/0x1e10 drivers/tty/n_tty.c:2201
3 locks held by kworker/1:4/5083:
#0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90003f6fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90003f6fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4671
3 locks held by kworker/0:3/5086:
#0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#1: ffffc90003fafd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
#1: ffffc90003fafd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
#2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
1 lock held by syz-executor.0/14954:
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
1 lock held by syz-executor.0/14991:
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
1 lock held by syz-executor.0/14998:
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xfaf/0xff0 kernel/hung_task.c:379
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 14994 Comm: kworker/u4:1 Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_preemption_disabled+0x20/0x120 lib/smp_processor_id.c:16
Code: 90 90 90 90 90 90 90 90 90 90 41 57 41 56 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 65 8b 1d 7c 23 9e 74 <65> 8b 05 71 23 9e 74 a9 ff ff ff 7f 74 26 65 48 8b 04 25 28 00 00
RSP: 0018:ffffc9000a8ef668 EFLAGS: 00000082
RAX: 7e9a76b27b63e200 RBX: 0000000000000001 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffffffff8bfe5f40 RDI: ffffffff8bfe5f00
RBP: ffffc9000a8ef770 R08: ffff888014c80627 R09: 1ffff110029900c4
R10: dffffc0000000000 R11: ffffed10029900c5 R12: 0000000000000001
R13: 00000000000327bf R14: ffff8880b953c0c0 R15: 000000000000000c
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561393482ff8 CR3: 000000000df32000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
get_flush_tlb_info arch/x86/mm/tlb.c:987 [inline]
flush_tlb_mm_range+0x23f/0x5c0 arch/x86/mm/tlb.c:1021
__text_poke+0x95b/0xd30 arch/x86/kernel/alternative.c:1949
text_poke arch/x86/kernel/alternative.c:1986 [inline]
text_poke_bp_batch+0x8cd/0xb30 arch/x86/kernel/alternative.c:2375
text_poke_flush arch/x86/kernel/alternative.c:2488 [inline]
text_poke_finish+0x30/0x50 arch/x86/kernel/alternative.c:2495
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
static_key_enable_cpuslocked+0x136/0x260 kernel/jump_label.c:205
static_key_enable+0x1a/0x20 kernel/jump_label.c:218
toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:826
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Tested on:
commit: dd85149d rcu/exp: Remove rcu_par_gp_wq
git tree: https://github.com/fbq/linux.git rcu-exp.2024.01.29b
console output: https://syzkaller.appspot.com/x/log.txt?x=174332fa180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4151600db6ca0ae1
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=103a2c1a180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-09 9:13 ` syzbot
@ 2024-03-09 10:19 ` Hillf Danton
0 siblings, 0 replies; 16+ messages in thread
From: Hillf Danton @ 2024-03-09 10:19 UTC (permalink / raw)
To: Frederic Weisbecker, Boqun Feng; +Cc: linux-kernel, syzbot, syzkaller-bugs
On Sat, 09 Mar 2024 01:13:02 -0800
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in switchdev_deferred_process_work
Task hung [0] again with Frederic's fix [1] applied [2].
kworker/1:2:783 kworker/u4:5/146
--- ---
lock rtnl_mutex
lock rtnl_mutex synchronize_rcu_expedited()
[0] Subject: Re: [syzbot] [bluetooth?] INFO: task hung in hci_conn_failed
https://lore.kernel.org/lkml/Zbnq5o_HJOMIIK-c@Boquns-Mac-mini.home/
[1] Subject: [PATCH 8/8] rcu/exp: Remove rcu_par_gp_wq
https://lore.kernel.org/lkml/20240129232349.3170819-9-boqun.feng@gmail.com/
[2] https://github.com/fbq/linux.git rcu-exp.2024.01.29b
>
> INFO: task kworker/1:2:783 blocked for more than 143 seconds.
> Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:2 state:D stack:21872 pid:783 tgid:783 ppid:2 flags:0x00004000
> Workqueue: events switchdev_deferred_process_work
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5400 [inline]
> __schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
> __schedule_loop kernel/sched/core.c:6802 [inline]
> schedule+0x149/0x260 kernel/sched/core.c:6817
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
> switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:75
> process_one_work kernel/workqueue.c:2633 [inline]
> process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
> worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
> kthread+0x2ef/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
> </TASK>
> INFO: task dhcpcd:4739 blocked for more than 143 seconds.
> Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:dhcpcd state:D stack:20952 pid:4739 tgid:4739 ppid:4738 flags:0x00004002
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5400 [inline]
> __schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
> __schedule_loop kernel/sched/core.c:6802 [inline]
> schedule+0x149/0x260 kernel/sched/core.c:6817
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
> rtnl_lock net/core/rtnetlink.c:79 [inline]
> rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
> netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
> netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg+0x221/0x270 net/socket.c:745
> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
> ___sys_sendmsg net/socket.c:2638 [inline]
> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
> do_syscall_64+0xf9/0x240
> entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7f85a0637a4b
> RSP: 002b:00007ffebbd31e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f85a055f6c0 RCX: 00007f85a0637a4b
> RDX: 0000000000000000 RSI: 00007ffebbd46018 RDI: 000000000000000f
> RBP: 000000000000000f R08: 0000000000000000 R09: 00007ffebbd46018
> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 00007ffebbd46018 R14: 0000000000000030 R15: 0000000000000001
> </TASK>
> INFO: task kworker/0:3:5086 blocked for more than 143 seconds.
> Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:3 state:D stack:21872 pid:5086 tgid:5086 ppid:2 flags:0x00004000
> Workqueue: events linkwatch_event
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5400 [inline]
> __schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
> __schedule_loop kernel/sched/core.c:6802 [inline]
> schedule+0x149/0x260 kernel/sched/core.c:6817
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
> linkwatch_event+0xe/0x60 net/core/link_watch.c:281
> process_one_work kernel/workqueue.c:2633 [inline]
> process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
> worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
> kthread+0x2ef/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
> </TASK>
> INFO: task syz-executor.0:14954 blocked for more than 144 seconds.
> Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor.0 state:D stack:19888 pid:14954 tgid:14954 ppid:1 flags:0x00004006
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5400 [inline]
> __schedule+0x17d1/0x49f0 kernel/sched/core.c:6727
> __schedule_loop kernel/sched/core.c:6802 [inline]
> schedule+0x149/0x260 kernel/sched/core.c:6817
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6874
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x6a3/0xd70 kernel/locking/mutex.c:752
> rtnl_lock net/core/rtnetlink.c:79 [inline]
> rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
> netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
> netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg+0x221/0x270 net/socket.c:745
> __sys_sendto+0x3a4/0x4f0 net/socket.c:2191
> __do_sys_sendto net/socket.c:2203 [inline]
> __se_sys_sendto net/socket.c:2199 [inline]
> __x64_sys_sendto+0xde/0x100 net/socket.c:2199
> do_syscall_64+0xf9/0x240
> entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7f2a1c07fa9c
> RSP: 002b:00007ffc5dd132a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 00007f2a1ccd4620 RCX: 00007f2a1c07fa9c
> RDX: 0000000000000028 RSI: 00007f2a1ccd4670 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 00007ffc5dd132f4 R09: 000000000000000c
> R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
> R13: 0000000000000000 R14: 00007f2a1ccd4670 R15: 0000000000000000
> </TASK>
>
> Showing all locks held in the system:
> 3 locks held by kworker/0:1/8:
> #0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #1: ffffc900000d7d20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4671
> 1 lock held by khungtaskd/29:
> #0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
> #0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
> #0: ffffffff8e1308e0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
> 5 locks held by kworker/u4:5/146:
> #0: ffff8880162f0938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #0: ffff8880162f0938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #1: ffffc90002e6fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #1: ffffc90002e6fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #2: ffffffff8f3673d0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf5/0xb90 net/core/net_namespace.c:580
> #3: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xdb/0x650 net/core/dev.c:11596
> #4: ffffffff8e136278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:291 [inline]
> #4: ffffffff8e136278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x39a/0x820 kernel/rcu/tree_exp.h:939
> 3 locks held by kworker/1:2/783:
> #0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #1: ffffc9000408fd20 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #1: ffffc9000408fd20 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:75
> 1 lock held by dhcpcd/4739:
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
> 2 locks held by getty/4822:
> #0: ffff88802b64a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
> #1: ffffc90002f162f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b4/0x1e10 drivers/tty/n_tty.c:2201
> 3 locks held by kworker/1:4/5083:
> #0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #0: ffff88802ae89d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #1: ffffc90003f6fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #1: ffffc90003f6fd20 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4671
> 3 locks held by kworker/0:3/5086:
> #0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #0: ffff888014c8cd38 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #1: ffffc90003fafd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2608 [inline]
> #1: ffffc90003fafd20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x825/0x1420 kernel/workqueue.c:2706
> #2: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
> 1 lock held by syz-executor.0/14954:
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
> 1 lock held by syz-executor.0/14991:
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
> 1 lock held by syz-executor.0/14998:
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> #0: ffffffff8f373948 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6612
>
> =============================================
>
> NMI backtrace for cpu 0
> CPU: 0 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
> nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
> nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
> trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
> check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
> watchdog+0xfaf/0xff0 kernel/hung_task.c:379
> kthread+0x2ef/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
> </TASK>
> Sending NMI from CPU 0 to CPUs 1:
> NMI backtrace for cpu 1
> CPU: 1 PID: 14994 Comm: kworker/u4:1 Not tainted 6.8.0-rc1-syzkaller-00009-gdd85149da01f-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
> Workqueue: events_unbound toggle_allocation_gate
> RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
> RIP: 0010:check_preemption_disabled+0x20/0x120 lib/smp_processor_id.c:16
> Code: 90 90 90 90 90 90 90 90 90 90 41 57 41 56 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 65 8b 1d 7c 23 9e 74 <65> 8b 05 71 23 9e 74 a9 ff ff ff 7f 74 26 65 48 8b 04 25 28 00 00
> RSP: 0018:ffffc9000a8ef668 EFLAGS: 00000082
> RAX: 7e9a76b27b63e200 RBX: 0000000000000001 RCX: 0000000000000000
> RDX: dffffc0000000000 RSI: ffffffff8bfe5f40 RDI: ffffffff8bfe5f00
> RBP: ffffc9000a8ef770 R08: ffff888014c80627 R09: 1ffff110029900c4
> R10: dffffc0000000000 R11: ffffed10029900c5 R12: 0000000000000001
> R13: 00000000000327bf R14: ffff8880b953c0c0 R15: 000000000000000c
> FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000561393482ff8 CR3: 000000000df32000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <NMI>
> </NMI>
> <TASK>
> get_flush_tlb_info arch/x86/mm/tlb.c:987 [inline]
> flush_tlb_mm_range+0x23f/0x5c0 arch/x86/mm/tlb.c:1021
> __text_poke+0x95b/0xd30 arch/x86/kernel/alternative.c:1949
> text_poke arch/x86/kernel/alternative.c:1986 [inline]
> text_poke_bp_batch+0x8cd/0xb30 arch/x86/kernel/alternative.c:2375
> text_poke_flush arch/x86/kernel/alternative.c:2488 [inline]
> text_poke_finish+0x30/0x50 arch/x86/kernel/alternative.c:2495
> arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
> static_key_enable_cpuslocked+0x136/0x260 kernel/jump_label.c:205
> static_key_enable+0x1a/0x20 kernel/jump_label.c:218
> toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:826
> process_one_work kernel/workqueue.c:2633 [inline]
> process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
> worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
> kthread+0x2ef/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
> </TASK>
>
>
> Tested on:
>
> commit: dd85149d rcu/exp: Remove rcu_par_gp_wq
> git tree: https://github.com/fbq/linux.git rcu-exp.2024.01.29b
> console output: https://syzkaller.appspot.com/x/log.txt?x=174332fa180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4151600db6ca0ae1
> dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> patch: https://syzkaller.appspot.com/x/patch.diff?x=103a2c1a180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
` (4 preceding siblings ...)
2024-03-09 8:45 ` Hillf Danton
@ 2024-03-16 9:00 ` Hillf Danton
2024-03-16 10:54 ` syzbot
2024-03-17 10:04 ` Hillf Danton
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-16 9:00 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-16 9:00 ` Hillf Danton
@ 2024-03-16 10:54 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-16 10:54 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in devinet_ioctl
INFO: task dhcpcd:4738 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd state:D stack:20440 pid:4738 tgid:4738 ppid:4737 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
devinet_ioctl+0x2ce/0x1bc0 net/ipv4/devinet.c:1096
inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1001
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f7c316dcd49
RSP: 002b:00007fff890d63f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7c3160e6c0 RCX: 00007f7c316dcd49
RDX: 00007fff890e65e8 RSI: 0000000000008914 RDI: 0000000000000018
RBP: 00007fff890f67a8 R08: 00007fff890e65a8 R09: 00007fff890e6558
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff890e65e8 R14: 0000000000000028 R15: 0000000000008914
</TASK>
INFO: task kworker/0:4:5082 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4 state:D stack:20816 pid:5082 tgid:5082 ppid:2 flags:0x00004000
Workqueue: events switchdev_deferred_process_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task kworker/1:4:5466 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:4 state:D stack:22680 pid:5466 tgid:5466 ppid:2 flags:0x00004000
Workqueue: events linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
linkwatch_event+0xe/0x60 net/core/link_watch.c:276
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task syz-executor.0:14960 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:24632 pid:14960 tgid:14960 ppid:1 flags:0x00000006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x8e1/0xcb0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fe09e27fa9c
RSP: 002b:00007fff8336bc70 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fe09eed4620 RCX: 00007fe09e27fa9c
RDX: 0000000000000028 RSI: 00007fe09eed4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fff8336bcc4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fe09eed4670 R15: 0000000000000000
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/29:
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
5 locks held by kworker/u8:2/42:
#0: ffff888015acd948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888015acd948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc90000b27d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc90000b27d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f381410 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:591
#3: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: cleanup_net+0x6af/0xcc0 net/core/net_namespace.c:627
#4: ffffffff8e137280 (rcu_state.barrier_mutex){+.+.}-{3:3}, at: rcu_barrier+0x4c/0x550 kernel/rcu/tree.c:4073
3 locks held by kworker/u8:6/2456:
#0: ffff888029e26948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888029e26948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc9000a44fd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc9000a44fd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4731
1 lock held by dhcpcd/4738:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x2ce/0x1bc0 net/ipv4/devinet.c:1096
2 locks held by getty/4822:
#0: ffff88802aa950a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f1e2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b5/0x1e10 drivers/tty/n_tty.c:2201
3 locks held by kworker/0:4/5082:
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc90003f47d00 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc90003f47d00 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/1:4/5466:
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc9000518fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc9000518fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276
1 lock held by syz-executor.0/14960:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
1 lock held by syz-executor.0/14964:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
1 lock held by syz-executor.0/14970:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xfb0/0xff0 kernel/hung_task.c:379
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 4513 Comm: klogd Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
RIP: 0010:__sanitizer_cov_trace_switch+0x6f/0x120
Code: 48 83 f8 07 0f 85 ba 00 00 00 41 b8 07 00 00 00 4d 85 d2 75 24 e9 aa 00 00 00 41 b8 01 00 00 00 4d 85 d2 75 14 e9 9a 00 00 00 <41> b8 05 00 00 00 4d 85 d2 0f 84 8b 00 00 00 4c 8b 4c 24 20 65 4c
RSP: 0018:ffffc900031b7178 EFLAGS: 00000246
RAX: 0000000000000003 RBX: 0000000000000002 RCX: ffff888074001e00
RDX: ffffffff900811d8 RSI: ffffffff8dfa0870 RDI: 0000000000000002
RBP: ffffffff900811dd R08: 0000000000000005 R09: ffffffff8140972e
R10: 0000000000000003 R11: ffff888074001e00 R12: ffffffff900811dc
R13: dffffc0000000000 R14: ffffc900031b7330 R15: 1ffff92000636e5c
FS: 00007f992938b380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f99d96ba070 CR3: 000000002d988000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
unwind_next_frame+0xff6/0x2a00 arch/x86/kernel/unwind_orc.c:581
__unwind_start+0x641/0x7c0 arch/x86/kernel/unwind_orc.c:760
unwind_start arch/x86/include/asm/unwind.h:64 [inline]
arch_stack_walk+0x103/0x1b0 arch/x86/kernel/stacktrace.c:24
stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc_node_track_caller+0x24e/0x4e0 mm/slub.c:3986
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:599
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6504
sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2795
unix_dgram_sendmsg+0x6d3/0x1f80 net/unix/af_unix.c:2019
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f99294ed9b5
Code: 8b 44 24 08 48 83 c4 28 48 98 c3 48 98 c3 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 26 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 7a 48 8b 15 44 c4 0c 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffebdf27bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f99294ed9b5
RDX: 000000000000004f RSI: 000055ca0c2e0230 RDI: 0000000000000003
RBP: 000055ca0c2da910 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004000 R11: 0000000000000246 R12: 0000000000000013
R13: 00007f992967b212 R14: 00007ffebdf27cf8 R15: 0000000000000000
</TASK>
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=107731be180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=151d8aa5180000
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
` (5 preceding siblings ...)
2024-03-16 9:00 ` Hillf Danton
@ 2024-03-17 10:04 ` Hillf Danton
2024-03-17 10:31 ` syzbot
6 siblings, 1 reply; 16+ messages in thread
From: Hillf Danton @ 2024-03-17 10:04 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Wed, 06 Mar 2024 02:57:18 -0800
> syzbot found the following issue on:
>
> HEAD commit: 805d849d7c3c Merge tag 'acpi-6.8-rc7' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1025fa6a180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/drivers/net/ipvlan/ipvlan_core.c
+++ y/drivers/net/ipvlan/ipvlan_core.c
@@ -426,6 +426,7 @@ static noinline_for_stack int ipvlan_pro
.daddr = ip4h->daddr,
.saddr = ip4h->saddr,
};
+ struct sock *sk;
rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
@@ -439,7 +440,12 @@ static noinline_for_stack int ipvlan_pro
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ sk = skb->sk;
+ if (!sk)
+ goto err;
+ refcount_inc(&sk->sk_wmem_alloc);
err = ip_local_out(net, skb->sk, skb);
+ sk_free(sk);
if (unlikely(net_xmit_eval(err)))
DEV_STATS_INC(dev, tx_errors);
else
--- x/kernel/rcu/tree.c
+++ y/kernel/rcu/tree.c
@@ -4025,6 +4025,7 @@ static void rcu_barrier_entrain(struct r
wake_nocb = was_alldone && rcu_segcblist_pend_cbs(&rdp->cblist);
if (rcu_segcblist_entrain(&rdp->cblist, &rdp->barrier_head)) {
atomic_inc(&rcu_state.barrier_cpu_count);
+ wake_nocb = true;
} else {
debug_rcu_head_unqueue(&rdp->barrier_head);
rcu_barrier_trace(TPS("IRQNQ"), -1, rcu_state.barrier_sequence);
--
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
2024-03-17 10:04 ` Hillf Danton
@ 2024-03-17 10:31 ` syzbot
0 siblings, 0 replies; 16+ messages in thread
From: syzbot @ 2024-03-17 10:31 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in linkwatch_event
INFO: task kworker/1:0:24 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:22672 pid:24 tgid:24 ppid:2 flags:0x00004000
Workqueue: events linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
linkwatch_event+0xe/0x60 net/core/link_watch.c:276
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task kworker/1:1:44 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1 state:D stack:20272 pid:44 tgid:44 ppid:2 flags:0x00004000
Workqueue: events switchdev_deferred_process_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
INFO: task dhcpcd:4737 blocked for more than 143 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd state:D stack:20888 pid:4737 tgid:4737 ppid:4736 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
netlink_dump+0x5d3/0xe50 net/netlink/af_netlink.c:2268
netlink_recvmsg+0x6bb/0x11d0 net/netlink/af_netlink.c:1987
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x22f/0x280 net/socket.c:1068
____sys_recvmsg+0x1db/0x470 net/socket.c:2803
___sys_recvmsg net/socket.c:2845 [inline]
__sys_recvmsg+0x2f0/0x3e0 net/socket.c:2875
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f412b50691e
RSP: 002b:00007ffdf9c62d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007ffdf9c63e90 RCX: 00007f412b50691e
RDX: 0000000000000000 RSI: 00007ffdf9c63db0 RDI: 0000000000000018
RBP: 00007ffdf9c63e20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000101 R11: 0000000000000246 R12: 0000000000000f00
R13: 00007ffdf9c63d94 R14: 00007ffdf9c63db0 R15: 00007ffdf9c63da0
</TASK>
INFO: task syz-executor.0:14939 blocked for more than 144 seconds.
Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:24632 pid:14939 tgid:14939 ppid:1 flags:0x00000006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6828
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6885
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x8e1/0xcb0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fa03a67fa9c
RSP: 002b:00007fffbd622ad0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa03b2d4620 RCX: 00007fa03a67fa9c
RDX: 0000000000000028 RSI: 00007fa03b2d4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fffbd622b24 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fa03b2d4670 R15: 0000000000000000
</TASK>
Showing all locks held in the system:
3 locks held by kworker/1:0/24:
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc900001e7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc900001e7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276
1 lock held by khungtaskd/29:
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6614
3 locks held by kworker/1:1/44:
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888014c78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc90000b47d00 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc90000b47d00 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/u8:5/65:
#0: ffff88802a4d8148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff88802a4d8148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc900015e7d00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc900015e7d00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4731
5 locks held by kworker/u8:6/1089:
#0: ffff888015acd948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
#0: ffff888015acd948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
#1: ffffc90004d07d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
#1: ffffc90004d07d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
#2: ffffffff8f381410 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:591
#3: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: cleanup_net+0x6af/0xcc0 net/core/net_namespace.c:627
#4: ffffffff8e137280 (rcu_state.barrier_mutex){+.+.}-{3:3}, at: rcu_barrier+0x4c/0x550 kernel/rcu/tree.c:4074
2 locks held by dhcpcd/4737:
#0: ffff888041854678 (nlk_cb_mutex-ROUTE){+.+.}-{3:3}, at: netlink_dump+0xcb/0xe50 net/netlink/af_netlink.c:2209
#1: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0x5d3/0xe50 net/netlink/af_netlink.c:2268
2 locks held by getty/4819:
#0: ffff88802a54c0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc900031332f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b5/0x1e10 drivers/tty/n_tty.c:2201
1 lock held by syz-executor.0/14939:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
1 lock held by syz-executor.0/14942:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
1 lock held by syz-executor.0/14949:
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f38da88 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x842/0x10d0 net/core/rtnetlink.c:6592
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xfb0/0xff0 kernel/hung_task.c:379
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 10 Comm: kworker/u8:0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:__sanitizer_cov_trace_switch+0x83/0x120
Code: 24 e9 aa 00 00 00 41 b8 01 00 00 00 4d 85 d2 75 14 e9 9a 00 00 00 41 b8 05 00 00 00 4d 85 d2 0f 84 8b 00 00 00 4c 8b 4c 24 20 <65> 4c 8b 1c 25 80 d0 03 00 31 d2 eb 08 48 ff c2 49 39 d2 74 71 4c
RSP: 0018:ffffc900000f75a0 EFLAGS: 00000206
RAX: 0000000000000003 RBX: 0000000000000002 RCX: ffff8880172a9e00
RDX: ffffffff909a8172 RSI: ffffffff8dfa0870 RDI: 0000000000000002
RBP: ffffffff909a8177 R08: 0000000000000005 R09: ffffffff81409f66
R10: 0000000000000003 R11: ffff8880172a9e00 R12: ffffffff909a8176
R13: dffffc0000000000 R14: ffffc900000f76f0 R15: 1ffff9200001eed4
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cc0ad5000 CR3: 000000000df32000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
unwind_next_frame+0xff6/0x2a00 arch/x86/kernel/unwind_orc.c:581
arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2106 [inline]
slab_free mm/slub.c:4280 [inline]
kmem_cache_free+0x102/0x2b0 mm/slub.c:4344
kfree_skb include/linux/skbuff.h:1267 [inline]
ieee80211_iface_work+0x270/0xf10 net/mac80211/iface.c:1661
cfg80211_wiphy_work+0x221/0x260 net/wireless/core.c:437
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1555fc3a180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17737946180000
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2024-03-17 10:31 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
2024-03-08 10:50 ` Hillf Danton
2024-03-08 11:09 ` syzbot
2024-03-08 12:15 ` Hillf Danton
2024-03-08 13:00 ` syzbot
2024-03-08 23:14 ` Hillf Danton
2024-03-09 1:32 ` syzbot
2024-03-09 4:53 ` Hillf Danton
2024-03-09 5:19 ` syzbot
2024-03-09 8:45 ` Hillf Danton
2024-03-09 9:13 ` syzbot
2024-03-09 10:19 ` Hillf Danton
2024-03-16 9:00 ` Hillf Danton
2024-03-16 10:54 ` syzbot
2024-03-17 10:04 ` Hillf Danton
2024-03-17 10:31 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).