On 08/29/2014 11:26 AM, Tommi Rantala wrote: > Hi, > > Was fuzzing Linus v3.17-rc2-89-g59753a8 with Trinity as the root user > in qemu, when I hit the following assertion failures. > > Tommi > > > [init] Started watchdog process, PID is 4841 > [main] Main thread is alive. > [ 77.229699] sctp: [Deprecated]: trinity-main (pid 4842) Use of int > in max_burst socket option deprecated. > [ 77.229699] Use struct sctp_assoc_value instead > [ 77.297196] RTNL: assertion failed at net/ipv6/addrconf.c (1699) > [ 77.298080] CPU: 0 PID: 4842 Comm: trinity-main Not tainted 3.17.0-rc2+ #30 > [ 77.299039] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > [ 77.299789] ffff88003d76a618 ffff880026133c50 ffffffff8238ba79 > ffff880037c84520 > [ 77.300829] ffff880026133c90 ffffffff820bd52b 0000000000000000 > ffffffff82d86c40 > [ 77.301869] 0000000000000000 00000000f76fd1e1 ffff8800382d8000 > ffff8800382d8220 > [ 77.302906] Call Trace: > [ 77.303246] [<ffffffff8238ba79>] dump_stack+0x4d/0x66 > [ 77.303928] [<ffffffff820bd52b>] addrconf_join_solict+0x4b/0xb0 > [ 77.304731] [<ffffffff820b031b>] ipv6_dev_ac_inc+0x2bb/0x330 > [ 77.305498] [<ffffffff820b0060>] ? ac6_seq_start+0x260/0x260 > [ 77.306257] [<ffffffff820b05fe>] ipv6_sock_ac_join+0x26e/0x360 > [ 77.307046] [<ffffffff820b0429>] ? ipv6_sock_ac_join+0x99/0x360 > [ 77.307798] [<ffffffff820cdd60>] do_ipv6_setsockopt.isra.5+0xa70/0xf20 > [ 77.308570] [<ffffffff8117097d>] ? sched_clock_local+0x1d/0x80 > [ 77.309260] [<ffffffff810a8a27>] ? kvm_clock_read+0x27/0x40 > [ 77.309915] [<ffffffff810736d9>] ? sched_clock+0x9/0x10 > [ 77.310537] [<ffffffff815afff8>] ? sock_has_perm+0x168/0x1e0 > [ 77.311204] [<ffffffff81170bb8>] ? sched_clock_cpu+0xa8/0xf0 > [ 77.311866] [<ffffffff81170d1b>] ? local_clock+0x1b/0x30 > [ 77.312501] [<ffffffff811872cd>] ? lock_release_holdtime+0x1d/0x170 > [ 77.313241] [<ffffffff815b0010>] ? sock_has_perm+0x180/0x1e0 > [ 77.313905] [<ffffffff815afe90>] ? > selinux_msg_queue_alloc_security+0xa0/0xa0 > [ 77.314746] [<ffffffff820ce263>] ipv6_setsockopt+0x53/0xb0 > [ 77.315397] [<ffffffff820d3135>] udpv6_setsockopt+0x25/0x30 > [ 77.316058] [<ffffffff81f9930f>] sock_common_setsockopt+0xf/0x20 > [ 77.316764] [<ffffffff81f9305e>] SyS_setsockopt+0x8e/0xd0 > [ 77.317406] [<ffffffff823a47e9>] system_call_fastpath+0x16/0x1b > [main] 375 sockets created based on info from socket cachefile. > [main] Generating file descriptors > [main] Added 129 filenames from /dev > [main] Added 44048 filenames from /proc > [main] Added 18192 filenames from /sys > [main] Enabled 9 fd providers. > [watchdog] Watchdog is alive. (pid:4841) > [child3:4846] finit_module (313) returned ENOSYS, marking as inactive. > [child1:4844] kcmp (312) returned ENOSYS, marking as inactive. > [child2:4845] uselib (134) returned ENOSYS, marking as inactive. > [child1:4844] nfsservctl (180) returned ENOSYS, marking as inactive. > [child2:4845] delete_module (129:[32BIT]) returned ENOSYS, marking as inactive. > [child2:4845] init_module (175) returned ENOSYS, marking as inactive. > [ 84.126609] trinity-c7: vm86 mode not supported on 64 bit kernel > [child7:4850] vm86 (166:[32BIT]) returned ENOSYS, marking as inactive. > [main] Bailing main loop because ctrl-c. > [ 84.345840] RTNL: assertion failed at net/ipv6/addrconf.c (1712) > [ 84.346615] CPU: 0 PID: 4842 Comm: trinity-main Not tainted 3.17.0-rc2+ #30 > [ 84.347426] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > [ 84.348102] ffff88003d76a618 ffff880026133d10 ffffffff8238ba79 > ffff8800382d8000 > [ 84.349018] ffff880026133d50 ffffffff820bd5db ffffffff81141555 > ffff8800382d8220 > [ 84.349935] ffff8800382d8000 00000000f76fd1e1 ffff88003d76a618 > ffff8800382d8000 > [ 84.350848] Call Trace: > [ 84.351149] [<ffffffff8238ba79>] dump_stack+0x4d/0x66 > [ 84.351751] [<ffffffff820bd5db>] addrconf_leave_solict+0x4b/0xb0 > [ 84.352574] [<ffffffff81141555>] ? __local_bh_enable_ip+0xa5/0xf0 > [ 84.353315] [<ffffffff820b07b3>] __ipv6_dev_ac_dec+0xc3/0x140 > [ 84.354019] [<ffffffff820b08c8>] ipv6_dev_ac_dec+0x98/0xb0 > [ 84.354687] [<ffffffff820b0bcd>] ipv6_sock_ac_close+0x10d/0x1a0 > [ 84.355410] [<ffffffff820b0aee>] ? ipv6_sock_ac_close+0x2e/0x1a0 > [ 84.356147] [<ffffffff820ae9d3>] inet6_release+0x23/0x40 > [ 84.356789] [<ffffffff81f91834>] sock_release+0x14/0x80 > [ 84.357410] [<ffffffff81f918ad>] sock_close+0xd/0x20 > [ 84.358042] [<ffffffff8127fa91>] __fput+0x111/0x1e0 > [ 84.358622] [<ffffffff8127fba9>] ____fput+0x9/0x10 > [ 84.359196] [<ffffffff8115e3ee>] task_work_run+0x9e/0xd0 > [ 84.359825] [<ffffffff8113f4b6>] do_exit+0x456/0xb30 > [ 84.360419] [<ffffffff823a541c>] ? retint_swapgs+0x13/0x1b > [ 84.361075] [<ffffffff8113fc54>] do_group_exit+0x84/0xd0 > [ 84.361705] [<ffffffff8113fcaf>] SyS_exit_group+0xf/0x10 > [ 84.362338] [<ffffffff823a47e9>] system_call_fastpath+0x16/0x1b > [watchdog] [4841] Watchdog exiting because ctrl-c. > [init] Ran 775 syscalls. Successes: 179 Failures: 596 > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Yep, looks like ipv6_dev_ac_inc() and __ipv6_dev_ac_dec() are called without RNTL in the socket option path and with RTNL in the address configuration path. So it look like this this can actually trigger list corruptions. -vlad -- To unsubscribe from this list: send the line "unsubscribe trinity" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html