linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* unregister_netdevice: waiting for DEV to become free (4)
@ 2020-08-19 13:54 syzbot
  2020-08-19 14:03 ` Dmitry Vyukov
  2020-08-19 14:51 ` syzbot
  0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2020-08-19 13:54 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15859986900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com

unregister_netdevice: waiting for lo to become free. Usage count = 1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4)
  2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot
@ 2020-08-19 14:03 ` Dmitry Vyukov
  2020-08-20 17:07   ` Andrii Nakryiko
  2020-08-19 14:51 ` syzbot
  1 sibling, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2020-08-19 14:03 UTC (permalink / raw)
  To: syzbot; +Cc: LKML, syzkaller-bugs, bpf

On Wed, Aug 19, 2020 at 3:54 PM syzbot
<syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
> dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0
> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15859986900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com
>
> unregister_netdevice: waiting for lo to become free. Usage count = 1

Based on the repro, it looks bpf/bpf link related:

syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2],
@void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0,
0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0,
@wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900",
"9384bbeb3018ad591b661fe808b21b77",
{"694c875dfb1be5d2a0057a62022a1564",
"a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000080)='./file0\x00',
&(0x7f0000000040)='cgroup2\x00', 0x0, 0x0)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4,
&(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6,
0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [],
0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70)
bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10)

> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4)
  2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot
  2020-08-19 14:03 ` Dmitry Vyukov
@ 2020-08-19 14:51 ` syzbot
  1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2020-08-19 14:51 UTC (permalink / raw)
  To: ast, bpf, davem, dvyukov, linux-fsdevel, linux-kernel, mcgrof,
	syzkaller-bugs, viro

syzbot has bisected this issue to:

commit 449325b52b7a6208f65ed67d3484fd7b7184477b
Author: Alexei Starovoitov <ast@kernel.org>
Date:   Tue May 22 02:22:29 2018 +0000

    umh: introduce fork_usermode_blob() helper

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11f86186900000
start commit:   18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel...
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13f86186900000
console output: https://syzkaller.appspot.com/x/log.txt?x=15f86186900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15859986900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000

Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com
Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4)
  2020-08-19 14:03 ` Dmitry Vyukov
@ 2020-08-20 17:07   ` Andrii Nakryiko
  2020-08-20 17:15     ` Dmitry Vyukov
  0 siblings, 1 reply; 5+ messages in thread
From: Andrii Nakryiko @ 2020-08-20 17:07 UTC (permalink / raw)
  To: Dmitry Vyukov; +Cc: syzbot, LKML, syzkaller-bugs, bpf

On Wed, Aug 19, 2020 at 7:06 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Aug 19, 2020 at 3:54 PM syzbot
> <syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel...
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0
> > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15859986900000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com
> >
> > unregister_netdevice: waiting for lo to become free. Usage count = 1
>
> Based on the repro, it looks bpf/bpf link related:
>
> syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2],
> @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0,
> 0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0,
> @wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900",
> "9384bbeb3018ad591b661fe808b21b77",
> {"694c875dfb1be5d2a0057a62022a1564",
> "a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0)
> mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
> mount(0x0, &(0x7f0000000080)='./file0\x00',
> &(0x7f0000000040)='cgroup2\x00', 0x0, 0x0)
> r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
> r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4,
> &(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6,
> 0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [],
> 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70)
> bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10)
>

The only place where BPF link-related code is bumping refcount for
net_device is in bpf_xdp_link_attach(), but both success and failure
code paths always do dev_put() in the end. bpf_link itself has a
pointer on net_device, but it's protected by rtnl_lock() only, no
refcnt associated with it. So I don't see how bpf_link can cause this.
I also couldn't reproduce this locally, using the provided C
reproducer.

> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this issue, for details see:
> > https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4)
  2020-08-20 17:07   ` Andrii Nakryiko
@ 2020-08-20 17:15     ` Dmitry Vyukov
  0 siblings, 0 replies; 5+ messages in thread
From: Dmitry Vyukov @ 2020-08-20 17:15 UTC (permalink / raw)
  To: Andrii Nakryiko; +Cc: syzbot, LKML, syzkaller-bugs, bpf

On Thu, Aug 20, 2020 at 7:07 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
> > On Wed, Aug 19, 2020 at 3:54 PM syzbot
> > <syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel...
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0
> > > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15859986900000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com
> > >
> > > unregister_netdevice: waiting for lo to become free. Usage count = 1
> >
> > Based on the repro, it looks bpf/bpf link related:
> >
> > syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2],
> > @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0,
> > 0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0,
> > @wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900",
> > "9384bbeb3018ad591b661fe808b21b77",
> > {"694c875dfb1be5d2a0057a62022a1564",
> > "a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0)
> > mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
> > mount(0x0, &(0x7f0000000080)='./file0\x00',
> > &(0x7f0000000040)='cgroup2\x00', 0x0, 0x0)
> > r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
> > r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4,
> > &(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6,
> > 0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [],
> > 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70)
> > bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10)
> >
>
> The only place where BPF link-related code is bumping refcount for
> net_device is in bpf_xdp_link_attach(), but both success and failure
> code paths always do dev_put() in the end. bpf_link itself has a
> pointer on net_device, but it's protected by rtnl_lock() only, no
> refcnt associated with it. So I don't see how bpf_link can cause this.
> I also couldn't reproduce this locally, using the provided C
> reproducer.

I was able to reproduce this in qemu the first time.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-20 17:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot
2020-08-19 14:03 ` Dmitry Vyukov
2020-08-20 17:07   ` Andrii Nakryiko
2020-08-20 17:15     ` Dmitry Vyukov
2020-08-19 14:51 ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).