On Tue, Aug 29, 2023 at 6:22 PM Muhammad Usama Anjum <usama.anjum@xxxxxxxxxxxxx> wrote: > > Hi Eric, > > On 8/29/23 8:19 PM, Eric Dumazet wrote: > > On Tue, Aug 29, 2023 at 2:44 PM Muhammad Usama Anjum > > <usama.anjum@xxxxxxxxxxxxx> wrote: > >> > >> On 6/23/23 7:36 PM, syzbot wrote: > >>> Hello, > >>> > >>> syzbot found the following issue on: > >>> > >>> HEAD commit: 45a3e24f65e9 Linux 6.4-rc7 > >>> git tree: upstream > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=160cc82f280000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 > >>> dashboard link: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47 > >>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160aacb7280000 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c115d3280000 > >>> > >>> Downloadable assets: > >>> disk image: https://storage.googleapis.com/syzbot-assets/c09bcd4ec365/disk-45a3e24f.raw.xz > >>> vmlinux: https://storage.googleapis.com/syzbot-assets/03549b639718/vmlinux-45a3e24f.xz > >>> kernel image: https://storage.googleapis.com/syzbot-assets/91f203e5f63e/bzImage-45a3e24f.xz > >>> > >>> The issue was bisected to: > >>> > >>> commit 565b4824c39fa335cba2028a09d7beb7112f3c9a > >>> Author: Jiri Pirko <jiri@xxxxxxxxxx> > >>> Date: Mon Feb 6 09:41:51 2023 +0000 > >>> > >>> devlink: change port event netdev notifier from per-net to global > >>> > >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110a1a5b280000 > >>> final oops: https://syzkaller.appspot.com/x/report.txt?x=130a1a5b280000 > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=150a1a5b280000 > >>> > >>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >>> Reported-by: syzbot+de6565462ab540f50e47@xxxxxxxxxxxxxxxxxxxxxxxxx > >>> Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global") > >>> > >>> ------------[ cut here ]------------ > >>> WARNING: CPU: 0 PID: 5025 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x6df/0x8a0 net/ipv4/af_inet.c:154 > >> This same warning has been spotted and reported: > >> https://bugzilla.kernel.org/show_bug.cgi?id=217555 > >> > >> Syzbot has found the same warning on 4.14, 5.15, 6.1, 6.5-rc and latest > >> mainline (1c59d383390f9) kernels. The provided reproducers (such as > >> https://syzkaller.appspot.com/text?tag=ReproC&x=15a10e8aa80000) are > >> reproducing the same warnings on multicore (at least 2 CPUs) qemu instance. > > > > Can you test the following fix ? > Just tested the fix on 1c59d383390f9, it didn't fix the warning. > > Please let me know if you need help in testing more. Hmm, no more ideas from my side, thanks. > > > Thanks. > > > > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c > > index 25816e790527dbd6ff55ffb94762b5974e8144aa..1085357b30c9a0d4bf7a578cebf3eeddec953632 > > 100644 > > --- a/net/dccp/ipv6.c > > +++ b/net/dccp/ipv6.c > > @@ -377,8 +377,13 @@ static int dccp_v6_conn_request(struct sock *sk, > > struct sk_buff *skb) > > if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || > > np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || > > np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { > > + /* Only initialize ireq->pktops once. > > + * We must take a refcount on skb because ireq->pktops > > + * could be consumed immediately. > > + */ > > refcount_inc(&skb->users); > > - ireq->pktopts = skb; > > + if (cmpxchg(&ireq->pktopts, NULL, skb)) > > + refcount_dec(&skb->users); > > } > > ireq->ir_iif = READ_ONCE(sk->sk_bound_dev_if); > > > > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c > > index 6e86721e1cdbb8d47b754a2675f6ab1643c7342c..d45aa267473c4ab817cfda06966a536718b50a53 > > 100644 > > --- a/net/ipv6/tcp_ipv6.c > > +++ b/net/ipv6/tcp_ipv6.c > > @@ -798,8 +798,13 @@ static void tcp_v6_init_req(struct request_sock *req, > > np->rxopt.bits.rxinfo || > > np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim || > > np->rxopt.bits.rxohlim || np->repflow)) { > > + /* Only initialize ireq->pktops once. > > + * We must take a refcount on skb because ireq->pktops > > + * could be consumed immediately. > > + */ > > refcount_inc(&skb->users); > > - ireq->pktopts = skb; > > + if (cmpxchg(&ireq->pktopts, NULL, skb)) > > + refcount_dec(&skb->users); > > } > > } > > -- > BR, > Muhammad Usama Anjum
