linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Dumazet <edumazet@google.com>
To: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: syzbot <syzbot+de6565462ab540f50e47@syzkaller.appspotmail.com>,
	bpf@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org,
	jacob.e.keller@intel.com, jiri@nvidia.com, kuba@kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
	fishgylk@gmail.com, bagasdotme@gmail.com
Subject: Re: [syzbot] [net?] WARNING in inet_sock_destruct (4)
Date: Tue, 29 Aug 2023 19:06:38 +0200	[thread overview]
Message-ID: <CANn89i+dA0MfoED0zd-N_VQpnmsneNK=E=GgpsSFv=JHu7UrbQ@mail.gmail.com> (raw)
In-Reply-To: <ef489936-9413-4a01-a3f0-eebadfb64ff9@collabora.com>

On Tue, Aug 29, 2023 at 6:22 PM Muhammad Usama Anjum
<usama.anjum@collabora.com> wrote:
>
> Hi Eric,
>
> On 8/29/23 8:19 PM, Eric Dumazet wrote:
> > On Tue, Aug 29, 2023 at 2:44 PM Muhammad Usama Anjum
> > <usama.anjum@collabora.com> wrote:
> >>
> >> On 6/23/23 7:36 PM, syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following issue on:
> >>>
> >>> HEAD commit: 45a3e24f65e9 Linux 6.4-rc7
> >>> git tree: upstream
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=160cc82f280000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
> >>> dashboard link: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47
> >>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160aacb7280000
> >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c115d3280000
> >>>
> >>> Downloadable assets:
> >>> disk image: https://storage.googleapis.com/syzbot-assets/c09bcd4ec365/disk-45a3e24f.raw.xz
> >>> vmlinux: https://storage.googleapis.com/syzbot-assets/03549b639718/vmlinux-45a3e24f.xz
> >>> kernel image: https://storage.googleapis.com/syzbot-assets/91f203e5f63e/bzImage-45a3e24f.xz
> >>>
> >>> The issue was bisected to:
> >>>
> >>> commit 565b4824c39fa335cba2028a09d7beb7112f3c9a
> >>> Author: Jiri Pirko <jiri@nvidia.com>
> >>> Date: Mon Feb 6 09:41:51 2023 +0000
> >>>
> >>> devlink: change port event netdev notifier from per-net to global
> >>>
> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110a1a5b280000
> >>> final oops: https://syzkaller.appspot.com/x/report.txt?x=130a1a5b280000
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=150a1a5b280000
> >>>
> >>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >>> Reported-by: syzbot+de6565462ab540f50e47@syzkaller.appspotmail.com
> >>> Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global")
> >>>
> >>> ------------[ cut here ]------------
> >>> WARNING: CPU: 0 PID: 5025 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x6df/0x8a0 net/ipv4/af_inet.c:154
> >> This same warning has been spotted and reported:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=217555
> >>
> >> Syzbot has found the same warning on 4.14, 5.15, 6.1, 6.5-rc and latest
> >> mainline (1c59d383390f9) kernels. The provided reproducers (such as
> >> https://syzkaller.appspot.com/text?tag=ReproC&x=15a10e8aa80000) are
> >> reproducing the same warnings on multicore (at least 2 CPUs) qemu instance.
> >
> > Can you test the following fix ?
> Just tested the fix on 1c59d383390f9, it didn't fix the warning.
>
> Please let me know if you need help in testing more.

Hmm, no more ideas from my side, thanks.

>
> > Thanks.
> >
> > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> > index 25816e790527dbd6ff55ffb94762b5974e8144aa..1085357b30c9a0d4bf7a578cebf3eeddec953632
> > 100644
> > --- a/net/dccp/ipv6.c
> > +++ b/net/dccp/ipv6.c
> > @@ -377,8 +377,13 @@ static int dccp_v6_conn_request(struct sock *sk,
> > struct sk_buff *skb)
> >         if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
> >             np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
> >             np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
> > +               /* Only initialize ireq->pktops once.
> > +                * We must take a refcount on skb because ireq->pktops
> > +                * could be consumed immediately.
> > +                */
> >                 refcount_inc(&skb->users);
> > -               ireq->pktopts = skb;
> > +               if (cmpxchg(&ireq->pktopts, NULL, skb))
> > +                       refcount_dec(&skb->users);
> >         }
> >         ireq->ir_iif = READ_ONCE(sk->sk_bound_dev_if);
> >
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 6e86721e1cdbb8d47b754a2675f6ab1643c7342c..d45aa267473c4ab817cfda06966a536718b50a53
> > 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -798,8 +798,13 @@ static void tcp_v6_init_req(struct request_sock *req,
> >              np->rxopt.bits.rxinfo ||
> >              np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim ||
> >              np->rxopt.bits.rxohlim || np->repflow)) {
> > +               /* Only initialize ireq->pktops once.
> > +                * We must take a refcount on skb because ireq->pktops
> > +                * could be consumed immediately.
> > +                */
> >                 refcount_inc(&skb->users);
> > -               ireq->pktopts = skb;
> > +               if (cmpxchg(&ireq->pktopts, NULL, skb))
> > +                       refcount_dec(&skb->users);
> >         }
> >  }
>
> --
> BR,
> Muhammad Usama Anjum

      reply	other threads:[~2023-08-29 17:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-23 14:36 [syzbot] [net?] WARNING in inet_sock_destruct (4) syzbot
2023-08-29 12:44 ` Muhammad Usama Anjum
2023-08-29 15:19   ` Eric Dumazet
2023-08-29 16:22     ` Muhammad Usama Anjum
2023-08-29 17:06       ` Eric Dumazet [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANn89i+dA0MfoED0zd-N_VQpnmsneNK=E=GgpsSFv=JHu7UrbQ@mail.gmail.com' \
    --to=edumazet@google.com \
    --cc=bagasdotme@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=fishgylk@gmail.com \
    --cc=jacob.e.keller@intel.com \
    --cc=jiri@nvidia.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+de6565462ab540f50e47@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=usama.anjum@collabora.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).