Re: [syzbot] [net?] WARNING in inet_sock_destruct (4)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 29, 2023 at 6:22 PM Muhammad Usama Anjum
<usama.anjum@xxxxxxxxxxxxx> wrote:
>
> Hi Eric,
>
> On 8/29/23 8:19 PM, Eric Dumazet wrote:
> > On Tue, Aug 29, 2023 at 2:44 PM Muhammad Usama Anjum
> > <usama.anjum@xxxxxxxxxxxxx> wrote:
> >>
> >> On 6/23/23 7:36 PM, syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following issue on:
> >>>
> >>> HEAD commit: 45a3e24f65e9 Linux 6.4-rc7
> >>> git tree: upstream
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=160cc82f280000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
> >>> dashboard link: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47
> >>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160aacb7280000
> >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c115d3280000
> >>>
> >>> Downloadable assets:
> >>> disk image: https://storage.googleapis.com/syzbot-assets/c09bcd4ec365/disk-45a3e24f.raw.xz
> >>> vmlinux: https://storage.googleapis.com/syzbot-assets/03549b639718/vmlinux-45a3e24f.xz
> >>> kernel image: https://storage.googleapis.com/syzbot-assets/91f203e5f63e/bzImage-45a3e24f.xz
> >>>
> >>> The issue was bisected to:
> >>>
> >>> commit 565b4824c39fa335cba2028a09d7beb7112f3c9a
> >>> Author: Jiri Pirko <jiri@xxxxxxxxxx>
> >>> Date: Mon Feb 6 09:41:51 2023 +0000
> >>>
> >>> devlink: change port event netdev notifier from per-net to global
> >>>
> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110a1a5b280000
> >>> final oops: https://syzkaller.appspot.com/x/report.txt?x=130a1a5b280000
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=150a1a5b280000
> >>>
> >>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >>> Reported-by: syzbot+de6565462ab540f50e47@xxxxxxxxxxxxxxxxxxxxxxxxx
> >>> Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global")
> >>>
> >>> ------------[ cut here ]------------
> >>> WARNING: CPU: 0 PID: 5025 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x6df/0x8a0 net/ipv4/af_inet.c:154
> >> This same warning has been spotted and reported:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=217555
> >>
> >> Syzbot has found the same warning on 4.14, 5.15, 6.1, 6.5-rc and latest
> >> mainline (1c59d383390f9) kernels. The provided reproducers (such as
> >> https://syzkaller.appspot.com/text?tag=ReproC&x=15a10e8aa80000) are
> >> reproducing the same warnings on multicore (at least 2 CPUs) qemu instance.
> >
> > Can you test the following fix ?
> Just tested the fix on 1c59d383390f9, it didn't fix the warning.
>
> Please let me know if you need help in testing more.

Hmm, no more ideas from my side, thanks.

>
> > Thanks.
> >
> > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> > index 25816e790527dbd6ff55ffb94762b5974e8144aa..1085357b30c9a0d4bf7a578cebf3eeddec953632
> > 100644
> > --- a/net/dccp/ipv6.c
> > +++ b/net/dccp/ipv6.c
> > @@ -377,8 +377,13 @@ static int dccp_v6_conn_request(struct sock *sk,
> > struct sk_buff *skb)
> >         if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
> >             np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
> >             np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
> > +               /* Only initialize ireq->pktops once.
> > +                * We must take a refcount on skb because ireq->pktops
> > +                * could be consumed immediately.
> > +                */
> >                 refcount_inc(&skb->users);
> > -               ireq->pktopts = skb;
> > +               if (cmpxchg(&ireq->pktopts, NULL, skb))
> > +                       refcount_dec(&skb->users);
> >         }
> >         ireq->ir_iif = READ_ONCE(sk->sk_bound_dev_if);
> >
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 6e86721e1cdbb8d47b754a2675f6ab1643c7342c..d45aa267473c4ab817cfda06966a536718b50a53
> > 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -798,8 +798,13 @@ static void tcp_v6_init_req(struct request_sock *req,
> >              np->rxopt.bits.rxinfo ||
> >              np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim ||
> >              np->rxopt.bits.rxohlim || np->repflow)) {
> > +               /* Only initialize ireq->pktops once.
> > +                * We must take a refcount on skb because ireq->pktops
> > +                * could be consumed immediately.
> > +                */
> >                 refcount_inc(&skb->users);
> > -               ireq->pktopts = skb;
> > +               if (cmpxchg(&ireq->pktopts, NULL, skb))
> > +                       refcount_dec(&skb->users);
> >         }
> >  }
>
> --
> BR,
> Muhammad Usama Anjum





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux