On Fri, Aug 11, 2023 at 06:57:07AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 048c796beb6e ipv6: adjust ndisc_is_useropt() to also retur.. > git tree: net > console+strace: https://syzkaller.appspot.com/x/log.txt?x=103213a5a80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=fa5bd4cd5ab6259d > dashboard link: https://syzkaller.appspot.com/bug?extid=d810d3cd45ed1848c3f7 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1475a873a80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153cc91ba80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/bf6b84b5998f/disk-048c796b.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/4000dee89ebe/vmlinux-048c796b.xz > kernel image: https://storage.googleapis.com/syzbot-assets/b700ee9bd306/bzImage-048c796b.xz > > The issue was bisected to: > > commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 > Author: Vlad Buslov <vladbu@xxxxxxxxxx> > Date: Tue Aug 8 09:35:21 2023 +0000 > > vlan: Fix VLAN 0 memory leak I wasn't able to reproduce using the C reproducer, but I'm pretty sure I know what is the problem. I wasn't aware that user space can create VLAN devices with VID 0, which can result in the VLAN driver wrongly deleting it upon NETDEV_DOWN. Reproduced using: ip link add name dummy1 up type dummy ip link add link dummy1 name dummy1.0 type vlan id 0 ip link del dev dummy1 Always adding VID 0 on NETDEV_UP "solves" the problem, but it will increase the memory consumption for each netdev, which is not ideal. A possible solution is trying to delete VID 0 upon NETDEV_UNREGISTER instead of only iterating over upper VLAN devices. Anyway, Vlad, it's probably best to send a revert while we figure it out. > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12cbf169a80000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=11cbf169a80000 > console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf169a80000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+d810d3cd45ed1848c3f7@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 718cb09aaa6f ("vlan: Fix VLAN 0 memory leak") > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 12 at net/core/dev.c:10876 unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876 > Modules linked in: > CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.5.0-rc4-syzkaller-00248-g048c796beb6e #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 > Workqueue: netns cleanup_net > RIP: 0010:unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876 > Code: b4 1a 00 00 48 c7 c6 e0 18 81 8b 48 c7 c7 20 19 81 8b c6 05 ab 19 6c 06 01 e8 b4 22 23 f9 0f 0b e9 64 f7 ff ff e8 68 60 5c f9 <0f> 0b e9 3b f7 ff ff e8 fc 68 b0 f9 e9 fc ec ff ff 4c 89 e7 e8 4f > RSP: 0018:ffffc90000117a30 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 0000000070de5201 RCX: 0000000000000000 > RDX: ffff88801526d940 RSI: ffffffff8829a7b8 RDI: 0000000000000001 > RBP: ffff88807d7ee000 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000000000001 R11: ffffffff81004e11 R12: ffff888018fb2a00 > R13: 0000000000000000 R14: 0000000000000002 R15: ffff888018fb2a00 > FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00005581d741a950 CR3: 000000007deef000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > ip6_tnl_exit_batch_net+0x57d/0x6f0 net/ipv6/ip6_tunnel.c:2278 > ops_exit_list+0x125/0x170 net/core/net_namespace.c:175 > cleanup_net+0x505/0xb20 net/core/net_namespace.c:614 > process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597 > worker_thread+0x687/0x1110 kernel/workqueue.c:2748 > kthread+0x33a/0x430 kernel/kthread.c:389 > ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145 > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 > </TASK> > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > If the bug is already fixed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to change bug's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the bug is a duplicate of another bug, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup >
