Hello,
syzbot hit the following crash on net-next commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
So far this crash happened 5 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
x_tables: ip_tables: osf match: only valid for protocol 6
x_tables: ip_tables: osf match: only valid for protocol 6
x_tables: ip_tables: osf match: only valid for protocol 6
------------[ cut here ]------------
proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330
proc_register+0x2a4/0x370 fs/proc/generic.c:329
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4152 Comm: syzkaller851476 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1097
RIP: 0010:proc_register+0x2a4/0x370 fs/proc/generic.c:329
RSP: 0018:ffff8801cbd6ee20 EFLAGS: 00010286
RAX: dffffc0000000008 RBX: ffff8801d2181038 RCX: ffffffff815a57ae
RDX: 0000000000000000 RSI: 1ffff100397add74 RDI: 1ffff100397add49
RBP: ffff8801cbd6ee70 R08: 1ffff100397add0b R09: 0000000000000000
R10: ffff8801cbd6ecd8 R11: 0000000000000000 R12: ffff8801b2bb1cc0
R13: dffffc0000000000 R14: ffff8801b0d8dbc8 R15: ffff8801b2bb1d81
proc_create_data+0xf8/0x180 fs/proc/generic.c:494
clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:250 [inline]
clusterip_tg_check+0xf9c/0x16d0 net/ipv4/netfilter/ipt_CLUSTERIP.c:488
xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850
check_target net/ipv4/netfilter/ip_tables.c:513 [inline]
find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:554
translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:725
do_replace net/ipv4/netfilter/ip_tables.c:1141 [inline]
do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x446839
RSP: 002b:00007f0309d0fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446839
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000348 R09: 0000000000000000
R10: 0000000020013c90 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc7d53f79f R14: 00007f0309d109c0 R15: 0000000000000003
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
On Tue, Feb 6, 2018 at 6:27 AM, syzbot
<[email protected]> wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
> Merge tag 'usercopy-v4.16-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
>
> So far this crash happened 5 times on net-next, upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> x_tables: ip_tables: osf match: only valid for protocol 6
> x_tables: ip_tables: osf match: only valid for protocol 6
> x_tables: ip_tables: osf match: only valid for protocol 6
> ------------[ cut here ]------------
> proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
> WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330 proc_register+0x2a4/0x370
> fs/proc/generic.c:329
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 4152 Comm: syzkaller851476 Not tainted 4.15.0+ #221
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> panic+0x1e4/0x41c kernel/panic.c:183
> __warn+0x1dc/0x200 kernel/panic.c:547
> report_bug+0x211/0x2d0 lib/bug.c:184
> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> fixup_bug arch/x86/kernel/traps.c:247 [inline]
> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1097
> RIP: 0010:proc_register+0x2a4/0x370 fs/proc/generic.c:329
> RSP: 0018:ffff8801cbd6ee20 EFLAGS: 00010286
> RAX: dffffc0000000008 RBX: ffff8801d2181038 RCX: ffffffff815a57ae
> RDX: 0000000000000000 RSI: 1ffff100397add74 RDI: 1ffff100397add49
> RBP: ffff8801cbd6ee70 R08: 1ffff100397add0b R09: 0000000000000000
> R10: ffff8801cbd6ecd8 R11: 0000000000000000 R12: ffff8801b2bb1cc0
> R13: dffffc0000000000 R14: ffff8801b0d8dbc8 R15: ffff8801b2bb1d81
> proc_create_data+0xf8/0x180 fs/proc/generic.c:494
> clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:250 [inline]
I think there is probably a race condition between clusterip_config_entry_put()
and clusterip_config_init(), after we release the spinlock, a new proc
with the same IP could be created therefore triggers this warning....
I am not sure if it is enough to just move the proc_remove() under
spinlock...
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..1ff72b87a066 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -107,12 +107,6 @@ clusterip_config_entry_put(struct net *net,
struct clusterip_config *c)
local_bh_disable();
if (refcount_dec_and_lock(&c->entries, &cn->lock)) {
- list_del_rcu(&c->list);
- spin_unlock(&cn->lock);
- local_bh_enable();
-
- unregister_netdevice_notifier(&c->notifier);
-
/* In case anyone still accesses the file, the open/close
* functions are also incrementing the refcount on their own,
* so it's safe to remove the entry even if it's in use. */
@@ -120,6 +114,12 @@ clusterip_config_entry_put(struct net *net,
struct clusterip_config *c)
if (cn->procdir)
proc_remove(c->pde);
#endif
+ list_del_rcu(&c->list);
+ spin_unlock(&cn->lock);
+ local_bh_enable();
+
+ unregister_netdevice_notifier(&c->notifier);
+
return;
}
local_bh_enable();
> clusterip_tg_check+0xf9c/0x16d0 net/ipv4/netfilter/ipt_CLUSTERIP.c:488
> xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850
> check_target net/ipv4/netfilter/ip_tables.c:513 [inline]
> find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:554
> translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:725
> do_replace net/ipv4/netfilter/ip_tables.c:1141 [inline]
> do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
> nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
> nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
> ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
> sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104
> sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
> SYSC_setsockopt net/socket.c:1849 [inline]
> SyS_setsockopt+0x189/0x360 net/socket.c:1828
> entry_SYSCALL_64_fastpath+0x29/0xa0
> RIP: 0033:0x446839
> RSP: 002b:00007f0309d0fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
> RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446839
> RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: 00000000006dbc20 R08: 0000000000000348 R09: 0000000000000000
> R10: 0000000020013c90 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffc7d53f79f R14: 00007f0309d109c0 R15: 0000000000000003
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to [email protected].
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote:
> On Tue, Feb 6, 2018 at 6:27 AM, syzbot
> <[email protected]> wrote:
> > Hello,
> >
> > syzbot hit the following crash on net-next commit
> > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
> > Merge tag 'usercopy-v4.16-rc1' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
> >
> > So far this crash happened 5 times on net-next, upstream.
> > C reproducer is attached.
> > syzkaller reproducer is attached.
> > Raw console output is attached.
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: [email protected]
> > It will help syzbot understand when the bug is fixed. See footer for
> > details.
> > If you forward the report, please keep this part and the footer.
> >
> > x_tables: ip_tables: osf match: only valid for protocol 6
> > x_tables: ip_tables: osf match: only valid for protocol 6
> > x_tables: ip_tables: osf match: only valid for protocol 6
> > ------------[ cut here ]------------
> > proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
> > WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330 proc_register+0x2a4/0x370
> > fs/proc/generic.c:329
> > Kernel panic - not syncing: panic_on_warn set ...
> >
> > CPU: 1 PID: 4152 Comm: syzkaller851476 Not tainted 4.15.0+ #221
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:17 [inline]
> > dump_stack+0x194/0x257 lib/dump_stack.c:53
> > panic+0x1e4/0x41c kernel/panic.c:183
> > __warn+0x1dc/0x200 kernel/panic.c:547
> > report_bug+0x211/0x2d0 lib/bug.c:184
> > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> > fixup_bug arch/x86/kernel/traps.c:247 [inline]
> > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1097
> > RIP: 0010:proc_register+0x2a4/0x370 fs/proc/generic.c:329
> > RSP: 0018:ffff8801cbd6ee20 EFLAGS: 00010286
> > RAX: dffffc0000000008 RBX: ffff8801d2181038 RCX: ffffffff815a57ae
> > RDX: 0000000000000000 RSI: 1ffff100397add74 RDI: 1ffff100397add49
> > RBP: ffff8801cbd6ee70 R08: 1ffff100397add0b R09: 0000000000000000
> > R10: ffff8801cbd6ecd8 R11: 0000000000000000 R12: ffff8801b2bb1cc0
> > R13: dffffc0000000000 R14: ffff8801b0d8dbc8 R15: ffff8801b2bb1d81
> > proc_create_data+0xf8/0x180 fs/proc/generic.c:494
> > clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:250 [inline]
>
> I think there is probably a race condition between clusterip_config_entry_put()
> and clusterip_config_init(), after we release the spinlock, a new proc
> with the same IP could be created therefore triggers this warning....
>
> I am not sure if it is enough to just move the proc_remove() under
> spinlock...
I *think* we should change the order on proc fs entry creation,
because clusterip_config_init() can race with itself,
clusterip_config_init() returns NULL if the clusterip_config_init has
no pte, and currently such entry is inserted into the list with NULL
pte and the list lock itself is released before creating the PTE.
I'll try to test something the following:
---
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..d8807c44cc61 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
refcount_set(&c->refcount, 1);
refcount_set(&c->entries, 1);
- spin_lock_bh(&cn->lock);
- if (__clusterip_config_find(net, ip)) {
- spin_unlock_bh(&cn->lock);
- kfree(c);
-
- return ERR_PTR(-EBUSY);
- }
-
- list_add_rcu(&c->list, &cn->configs);
- spin_unlock_bh(&cn->lock);
-
#ifdef CONFIG_PROC_FS
{
char buffer[16];
@@ -257,6 +246,18 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
}
#endif
+ spin_lock_bh(&cn->lock);
+ if (__clusterip_config_find(net, ip)) {
+ spin_unlock_bh(&cn->lock);
+ kfree(c);
+
+ proc_remove(c->pde);
+ return ERR_PTR(-EBUSY);
+ }
+
+ list_add_rcu(&c->list, &cn->configs);
+ spin_unlock_bh(&cn->lock);
+
c->notifier.notifier_call = clusterip_netdev_event;
err = register_netdevice_notifier(&c->notifier);
if (!err)
---
Cheers,
Paolo
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
> master
Can't find the corresponding bug.
> I can't reproduce the issue locally, so asking the syzbot to test the
> tentive fix for me (and hoping I did not mess with the tag/format)
> ---
> net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++++++++++++++---------------
> 1 file changed, 15 insertions(+), 15 deletions(-)
> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> index 3a84a60f6b39..db103cd971a9 100644
> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct
> ipt_clusterip_tgt_info *i,
> refcount_set(&c->refcount, 1);
> refcount_set(&c->entries, 1);
> - spin_lock_bh(&cn->lock);
> - if (__clusterip_config_find(net, ip)) {
> - spin_unlock_bh(&cn->lock);
> - kfree(c);
> -
> - return ERR_PTR(-EBUSY);
> - }
> -
> - list_add_rcu(&c->list, &cn->configs);
> - spin_unlock_bh(&cn->lock);
> -
> #ifdef CONFIG_PROC_FS
> {
> char buffer[16];
> @@ -257,20 +246,31 @@ clusterip_config_init(struct net *net, const struct
> ipt_clusterip_tgt_info *i,
> }
> #endif
> + spin_lock_bh(&cn->lock);
> + if (__clusterip_config_find(net, ip)) {
> + spin_unlock_bh(&cn->lock);
> + err = -EBUSY;
> + goto err_remove_pte:
> + }
> +
> + list_add_rcu(&c->list, &cn->configs);
> + spin_unlock_bh(&cn->lock);
> +
> c->notifier.notifier_call = clusterip_netdev_event;
> err = register_netdevice_notifier(&c->notifier);
> if (!err)
> return c;
> + spin_lock_bh(&cn->lock);
> + list_del_rcu(&c->list);
> + spin_unlock_bh(&cn->lock);
> +
> +err_remove_pte:
> #ifdef CONFIG_PROC_FS
> proc_remove(c->pde);
> err:
> #endif
> - spin_lock_bh(&cn->lock);
> - list_del_rcu(&c->list);
> - spin_unlock_bh(&cn->lock);
> kfree(c);
> -
> return ERR_PTR(err);
> }
> --
> 2.14.3
> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/945c8517a87c671825b61223088064ea2ad0a8cb.1517999262.git.pabeni%40redhat.com.
> For more options, visit https://groups.google.com/d/optout.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
I can't reproduce the issue locally, so asking the syzbot to test the
tentive fix for me (and hoping I did not mess with the tag/format)
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..db103cd971a9 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
refcount_set(&c->refcount, 1);
refcount_set(&c->entries, 1);
- spin_lock_bh(&cn->lock);
- if (__clusterip_config_find(net, ip)) {
- spin_unlock_bh(&cn->lock);
- kfree(c);
-
- return ERR_PTR(-EBUSY);
- }
-
- list_add_rcu(&c->list, &cn->configs);
- spin_unlock_bh(&cn->lock);
-
#ifdef CONFIG_PROC_FS
{
char buffer[16];
@@ -257,20 +246,31 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
}
#endif
+ spin_lock_bh(&cn->lock);
+ if (__clusterip_config_find(net, ip)) {
+ spin_unlock_bh(&cn->lock);
+ err = -EBUSY;
+ goto err_remove_pte:
+ }
+
+ list_add_rcu(&c->list, &cn->configs);
+ spin_unlock_bh(&cn->lock);
+
c->notifier.notifier_call = clusterip_netdev_event;
err = register_netdevice_notifier(&c->notifier);
if (!err)
return c;
+ spin_lock_bh(&cn->lock);
+ list_del_rcu(&c->list);
+ spin_unlock_bh(&cn->lock);
+
+err_remove_pte:
#ifdef CONFIG_PROC_FS
proc_remove(c->pde);
err:
#endif
- spin_lock_bh(&cn->lock);
- list_del_rcu(&c->list);
- spin_unlock_bh(&cn->lock);
kfree(c);
-
return ERR_PTR(err);
}
--
2.14.3
You dropped syzbot from CC ;)
Add [email protected] to To or CC.
On Wed, Feb 7, 2018 at 11:42 AM, syzbot
<[email protected]> wrote:
>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
>> master
>
>
> Can't find the corresponding bug.
>
>
>
>> I can't reproduce the issue locally, so asking the syzbot to test the
>> tentive fix for me (and hoping I did not mess with the tag/format)
>
>
>> ---
>> net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++++++++++++++---------------
>> 1 file changed, 15 insertions(+), 15 deletions(-)
>
>
>> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
>> b/net/ipv4/netfilter/ipt_CLUSTERIP.c
>> index 3a84a60f6b39..db103cd971a9 100644
>> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
>> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
>> @@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct
>> ipt_clusterip_tgt_info *i,
>> refcount_set(&c->refcount, 1);
>> refcount_set(&c->entries, 1);
>
>
>> - spin_lock_bh(&cn->lock);
>> - if (__clusterip_config_find(net, ip)) {
>> - spin_unlock_bh(&cn->lock);
>> - kfree(c);
>> -
>> - return ERR_PTR(-EBUSY);
>> - }
>> -
>> - list_add_rcu(&c->list, &cn->configs);
>> - spin_unlock_bh(&cn->lock);
>> -
>> #ifdef CONFIG_PROC_FS
>> {
>> char buffer[16];
>> @@ -257,20 +246,31 @@ clusterip_config_init(struct net *net, const struct
>> ipt_clusterip_tgt_info *i,
>> }
>> #endif
>
>
>> + spin_lock_bh(&cn->lock);
>> + if (__clusterip_config_find(net, ip)) {
>> + spin_unlock_bh(&cn->lock);
>> + err = -EBUSY;
>> + goto err_remove_pte:
>> + }
>> +
>> + list_add_rcu(&c->list, &cn->configs);
>> + spin_unlock_bh(&cn->lock);
>> +
>> c->notifier.notifier_call = clusterip_netdev_event;
>> err = register_netdevice_notifier(&c->notifier);
>> if (!err)
>> return c;
>
>
>> + spin_lock_bh(&cn->lock);
>> + list_del_rcu(&c->list);
>> + spin_unlock_bh(&cn->lock);
>> +
>> +err_remove_pte:
>> #ifdef CONFIG_PROC_FS
>> proc_remove(c->pde);
>> err:
>> #endif
>> - spin_lock_bh(&cn->lock);
>> - list_del_rcu(&c->list);
>> - spin_unlock_bh(&cn->lock);
>> kfree(c);
>> -
>> return ERR_PTR(err);
>> }
>
>
>> --
>> 2.14.3
>
>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-bugs/945c8517a87c671825b61223088064ea2ad0a8cb.1517999262.git.pabeni%40redhat.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a114372a68e749405649cf352%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.
Hello,
syzbot tried to test the proposed patch but build/boot failed:
is larger than 2048 bytes [-Wframe-larger-than=]
}
^
CC net/netfilter/xt_CLASSIFY.o
CC drivers/tty/vt/vc_screen.o
CC drivers/tty/vt/selection.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_scl_filters.o
CC net/netfilter/xt_CONNSECMARK.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_transform.o
CC drivers/tty/vt/keyboard.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_clocks.o
AR drivers/virtio/virtio_pci.o
AR drivers/tty/serdev/serdev.o
AR drivers/tty/serdev/built-in.o
CC drivers/tty/vt/consolemap.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_opp.o
CC drivers/tty/serial/8250/8250_pnp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_dmcu.o
CC drivers/video/fbdev/xen-fbfront.o
CC net/netfilter/xt_CT.o
AR drivers/virtio/built-in.o
CC drivers/video/fbdev/core/fbsysfs.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_abm.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce/dce_ipp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/gpio_base.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/gpio_service.o
CC drivers/tty/serial/8250/8250_port.o
CC drivers/tty/serial/8250/8250_dma.o
CC drivers/tty/serial/8250/8250_pci.o
CC drivers/tty/vt/consolemap_deftbl.o
CC drivers/video/fbdev/core/modedb.o
CC drivers/video/fbdev/core/fbcvt.o
CC drivers/video/fbdev/core/fb_defio.o
CC drivers/video/fbdev/core/fbcon.o
CC drivers/tty/serial/8250/8250_early.o
CC drivers/xen/cpu_hotplug.o
CC net/netfilter/xt_DSCP.o
CC drivers/xen/fallback.o
CC drivers/xen/grant-table.o
CC drivers/xen/features.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/hw_factory.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/hw_gpio.o
CC drivers/video/fbdev/core/bitblit.o
AR drivers/usb/core/usbcore.o
AR drivers/usb/core/built-in.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/hw_hpd.o
CC drivers/xen/balloon.o
CC drivers/tty/serial/8250/8250_lpss.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/hw_ddc.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/hw_translate.o
CC drivers/tty/vt/vt.o
CC net/netfilter/xt_HL.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce80/hw_translate_dce80.o
CC drivers/xen/manage.o
CC drivers/video/fbdev/core/softcursor.o
CC drivers/xen/preempt.o
CC net/netfilter/xt_HMARK.o
CC drivers/usb/mon/mon_main.o
CC drivers/tty/serial/8250/8250_mid.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce80/hw_factory_dce80.o
CC drivers/video/fbdev/core/tileblit.o
CC drivers/video/fbdev/core/cfbfillrect.o
CC drivers/video/fbdev/core/cfbcopyarea.o
CC drivers/xen/time.o
CC net/netfilter/xt_LED.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce110/hw_translate_dce110.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce110/hw_factory_dce110.o
AR drivers/usb/host/built-in.o
CC drivers/video/fbdev/core/cfbimgblt.o
AR drivers/tty/serial/8250/8250.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce120/hw_translate_dce120.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/dce120/hw_factory_dce120.o
CC drivers/video/fbdev/core/sysfillrect.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/diagnostics/hw_translate_diag.o
CC drivers/xen/events/events_base.o
CC drivers/video/fbdev/efifb.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/gpio/diagnostics/hw_factory_diag.o
CC drivers/xen/xen-pciback/pci_stub.o
CC drivers/xen/events/events_2l.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/aux_engine.o
CC drivers/usb/mon/mon_stat.o
CC drivers/video/fbdev/core/syscopyarea.o
CC drivers/xen/xenbus/xenbus_client.o
CC drivers/xen/xenbus/xenbus_comms.o
CC drivers/xen/xenbus/xenbus_xs.o
CC drivers/xen/xenbus/xenbus_probe.o
CC drivers/video/fbdev/core/sysimgblt.o
CC drivers/video/fbdev/core/fb_sys_fops.o
CC drivers/xen/xenfs/super.o
CC drivers/xen/xenfs/xenstored.o
CC drivers/xen/xenfs/xensyms.o
CC drivers/xen/pci.o
CC drivers/xen/dbgp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/engine_base.o
CC drivers/xen/acpi.o
CC net/netfilter/xt_LOG.o
CC drivers/xen/xen-acpi-pad.o
CC net/netfilter/xt_NETMAP.o
CC drivers/usb/mon/mon_text.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/i2caux.o
CC drivers/xen/xenbus/xenbus_probe_backend.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/i2c_engine.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/i2c_generic_hw_engine.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/i2c_hw_engine.o
CC drivers/xen/events/events_fifo.o
CC drivers/xen/xenbus/xenbus_dev_frontend.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/i2c_sw_engine.o
CC drivers/xen/xenbus/xenbus_dev_backend.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce80/i2caux_dce80.o
AR drivers/tty/serial/8250/8250_base.o
AR drivers/tty/serial/8250/built-in.o
CC drivers/xen/xenbus/xenbus_probe_frontend.o
AR drivers/tty/serial/built-in.o
CC drivers/xen/pcpu.o
CC drivers/xen/biomerge.o
AR drivers/xen/xenfs/xenfs.o
AR drivers/xen/xenfs/built-in.o
CC drivers/xen/xen-balloon.o
CC drivers/xen/xen-pciback/pciback_ops.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce80/i2c_hw_engine_dce80.o
CC drivers/xen/evtchn.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce80/i2c_sw_engine_dce80.o
CC drivers/xen/xen-pciback/xenbus.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce100/i2caux_dce100.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce110/i2caux_dce110.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce110/i2c_sw_engine_dce110.o
CC drivers/xen/xen-pciback/conf_space.o
CC drivers/tty/vt/defkeymap.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce110/i2c_hw_engine_dce110.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce110/aux_engine_dce110.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce112/i2caux_dce112.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/dce120/i2caux_dce120.o
CC net/netfilter/xt_NFLOG.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/i2caux/diagnostics/i2caux_diag.o
CC drivers/xen/gntdev.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/irq/irq_service.o
CC drivers/xen/gntalloc.o
CC net/netfilter/xt_NFQUEUE.o
CC drivers/xen/sys-hypervisor.o
CC drivers/xen/platform-pci.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dce80/irq_service_dce80.o
AR drivers/xen/xenbus/xenbus.o
CC drivers/usb/mon/mon_bin.o
CC net/netfilter/xt_RATEEST.o
CC drivers/xen/swiotlb-xen.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dce110/irq_service_dce110.o
AR drivers/xen/events/events.o
AR drivers/xen/events/built-in.o
CC drivers/xen/mcelog.o
AR drivers/xen/xenbus/built-in.o
CC drivers/xen/privcmd.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dce120/irq_service_dce120.o
CC drivers/usb/typec/typec.o
CC drivers/usb/storage/scsiglue.o
CC drivers/usb/typec/tcpm.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/virtual/virtual_link_encoder.o
CC drivers/xen/xen-pciback/conf_space_header.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/virtual/virtual_stream_encoder.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce120/dce120_resource.o
CC drivers/xen/xen-pciback/conf_space_capability.o
CC drivers/usb/storage/protocol.o
CC net/netfilter/xt_REDIRECT.o
CC drivers/usb/typec/ucsi/ucsi.o
CC net/netfilter/xt_SECMARK.o
CC drivers/xen/xen-pciback/conf_space_quirks.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce120/dce120_timing_generator.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce120/dce120_hw_sequencer.o
CC drivers/usb/storage/transport.o
CC drivers/xen/xen-acpi-processor.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce112/dce112_compressor.o
CC drivers/xen/efi.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce112/dce112_hw_sequencer.o
CC net/netfilter/xt_TPROXY.o
CC drivers/xen/xlate_mmu.o
CC net/netfilter/xt_TCPMSS.o
CC drivers/usb/typec/ucsi/trace.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce112/dce112_resource.o
CC drivers/xen/xen-pciback/vpci.o
CC drivers/usb/storage/usb.o
CC drivers/xen/xen-pciback/passthrough.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_timing_generator.o
CC drivers/xen/pvcalls-back.o
CC drivers/xen/pvcalls-front.o
CC drivers/usb/storage/initializers.o
AR drivers/video/fbdev/core/fb.o
AR drivers/video/fbdev/core/built-in.o
AR drivers/video/fbdev/built-in.o
CC drivers/usb/storage/sierra_ms.o
AR drivers/video/built-in.o
CC drivers/usb/storage/option_ms.o
CC drivers/usb/storage/usual-tables.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_compressor.o
CC net/netfilter/xt_TCPOPTSTRIP.o
AR drivers/usb/mon/usbmon.o
AR drivers/usb/mon/built-in.o
CC net/netfilter/xt_TEE.o
AR drivers/xen/xen-evtchn.o
AR drivers/xen/xen-gntalloc.o
AR drivers/xen/xen-privcmd.o
CC drivers/usb/typec/ucsi/ucsi_acpi.o
AR drivers/xen/xen-gntdev.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_hw_sequencer.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_resource.o
CC net/netfilter/xt_TRACE.o
CC net/netfilter/xt_IDLETIMER.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_opp_regamma_v.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_opp_csc_v.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_timing_generator_v.o
CC net/netfilter/xt_addrtype.o
CC net/netfilter/xt_bpf.o
AR drivers/xen/xen-pciback/xen-pciback.o
AR drivers/xen/xen-pciback/built-in.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_mem_input_v.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_opp_v.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce110/dce110_transform_v.o
CC net/netfilter/xt_cluster.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce100/dce100_resource.o
AR drivers/usb/typec/ucsi/typec_ucsi.o
CC net/netfilter/xt_comment.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce100/dce100_hw_sequencer.o
CC net/netfilter/xt_connbytes.o
AR drivers/usb/typec/ucsi/built-in.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce80/dce80_timing_generator.o
CC net/netfilter/xt_connlabel.o
AR drivers/tty/vt/built-in.o
AR drivers/tty/built-in.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce80/dce80_compressor.o
CC
drivers/gpu/drm/amd/amdgpu/../display/dc/dce80/dce80_hw_sequencer.o
AR drivers/usb/storage/usb-storage.o
AR drivers/usb/storage/built-in.o
CC net/netfilter/xt_connlimit.o
CC net/netfilter/xt_conntrack.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dce80/dce80_resource.o
CC net/netfilter/xt_cpu.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_link.o
CC net/netfilter/xt_dccp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.o
CC net/netfilter/xt_devgroup.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_hw_sequencer.o
CC net/netfilter/xt_dscp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_sink.o
CC net/netfilter/xt_ecn.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_surface.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_link_hwss.o
CC net/netfilter/xt_esp.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_link_dp.o
CC net/netfilter/xt_hashlimit.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_link_ddc.o
CC net/netfilter/xt_helper.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_debug.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.o
CC drivers/gpu/drm/amd/amdgpu/../display/dc/dc_helper.o
CC drivers/gpu/drm/amd/amdgpu/../display/modules/freesync/freesync.o
CC net/netfilter/xt_hl.o
CC net/netfilter/xt_ipcomp.o
CC net/netfilter/xt_iprange.o
CC net/netfilter/xt_ipvs.o
CC net/netfilter/xt_l2tp.o
CC net/netfilter/xt_length.o
AR drivers/xen/built-in.o
CC net/netfilter/xt_limit.o
CC net/netfilter/xt_mac.o
CC net/netfilter/xt_multiport.o
CC net/netfilter/xt_osf.o
CC net/netfilter/xt_nfacct.o
CC net/netfilter/xt_owner.o
CC net/netfilter/xt_cgroup.o
CC net/netfilter/xt_physdev.o
CC net/netfilter/xt_pkttype.o
CC net/netfilter/xt_policy.o
CC net/netfilter/xt_quota.o
CC net/netfilter/xt_rateest.o
CC net/netfilter/xt_realm.o
CC net/netfilter/xt_recent.o
CC net/netfilter/xt_sctp.o
CC net/netfilter/xt_socket.o
CC net/netfilter/xt_state.o
CC net/netfilter/xt_statistic.o
CC net/netfilter/xt_string.o
CC net/netfilter/xt_tcpmss.o
CC net/netfilter/xt_time.o
CC net/netfilter/xt_u32.o
AR drivers/usb/typec/built-in.o
AR drivers/usb/built-in.o
AR net/netfilter/netfilter.o
AR net/netfilter/nf_conntrack.o
AR net/netfilter/nf_conntrack_h323.o
AR net/netfilter/nf_nat.o
AR net/netfilter/nf_tables.o
CC net/netfilter/ipset/ip_set_core.o
CC net/netfilter/ipvs/ip_vs_conn.o
CC net/netfilter/ipset/ip_set_getport.o
CC net/netfilter/ipvs/ip_vs_core.o
CC net/netfilter/ipset/pfxlen.o
CC net/netfilter/ipvs/ip_vs_ctl.o
CC net/netfilter/ipset/ip_set_bitmap_ip.o
CC net/netfilter/ipset/ip_set_bitmap_ipmac.o
CC net/netfilter/ipvs/ip_vs_sched.o
CC net/netfilter/ipset/ip_set_bitmap_port.o
CC net/netfilter/ipvs/ip_vs_xmit.o
CC net/netfilter/ipset/ip_set_hash_ip.o
CC net/netfilter/ipvs/ip_vs_app.o
CC net/netfilter/ipvs/ip_vs_sync.o
CC net/netfilter/ipvs/ip_vs_est.o
CC net/netfilter/ipvs/ip_vs_proto.o
CC net/netfilter/ipset/ip_set_hash_ipmac.o
CC net/netfilter/ipset/ip_set_hash_ipmark.o
CC net/netfilter/ipset/ip_set_hash_ipport.o
CC net/netfilter/ipvs/ip_vs_pe.o
CC net/netfilter/ipset/ip_set_hash_ipportip.o
CC net/netfilter/ipvs/ip_vs_proto_tcp.o
CC net/netfilter/ipset/ip_set_hash_ipportnet.o
CC net/netfilter/ipvs/ip_vs_proto_udp.o
CC net/netfilter/ipset/ip_set_hash_mac.o
CC net/netfilter/ipset/ip_set_hash_net.o
CC net/netfilter/ipvs/ip_vs_proto_ah_esp.o
CC net/netfilter/ipvs/ip_vs_proto_sctp.o
CC net/netfilter/ipset/ip_set_hash_netport.o
CC net/netfilter/ipvs/ip_vs_nfct.o
CC net/netfilter/ipset/ip_set_hash_netiface.o
CC net/netfilter/ipvs/ip_vs_wlc.o
CC net/netfilter/ipset/ip_set_hash_netnet.o
CC net/netfilter/ipset/ip_set_hash_netportnet.o
CC net/netfilter/ipvs/ip_vs_ftp.o
CC net/netfilter/ipvs/ip_vs_pe_sip.o
CC net/netfilter/ipset/ip_set_list_set.o
AR net/netfilter/ipset/ip_set.o
AR drivers/gpu/drm/amd/amdgpu/amdgpu.o
AR drivers/gpu/drm/amd/amdgpu/built-in.o
AR drivers/gpu/drm/built-in.o
AR drivers/gpu/built-in.o
AR drivers/built-in.o
AR net/netfilter/ipvs/ip_vs.o
AR net/netfilter/ipvs/built-in.o
AR net/netfilter/ipset/built-in.o
AR net/netfilter/built-in.o
Makefile:1020: recipe for target 'net' failed
make: *** [net] Error 2
Error text is too large and was truncated, full error text is attached.
Tested on net commit
176bfb406d735655f9a69d868a7af0c3da959d51 (Tue Feb 6 16:48:40 2018 +0000)
Merge branch 'be2net-patch-set'
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Paolo Abeni <[email protected]> wrote:
[ pruning CC list ]
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
>
> I can't reproduce the issue locally, so asking the syzbot to test the
> tentive fix for me (and hoping I did not mess with the tag/format)
I can reproduce it.
CLUSTERIP has multiple other bugs that need to be fixed, I'll look into
this asap.
On Wed, 2018-02-07 at 09:43 +0100, Paolo Abeni wrote:
> On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote:
> > On Tue, Feb 6, 2018 at 6:27 AM, syzbot
> > <[email protected]> wrote:
> > > Hello,
> > >
> > > syzbot hit the following crash on net-next commit
> > > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
> > > Merge tag 'usercopy-v4.16-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
> > >
> > > So far this crash happened 5 times on net-next, upstream.
> > > C reproducer is attached.
> > > syzkaller reproducer is attached.
> > > Raw console output is attached.
> > > compiler: gcc (GCC) 7.1.1 20170620
> > > .config is attached.
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > > It will help syzbot understand when the bug is fixed. See footer for
> > > details.
> > > If you forward the report, please keep this part and the footer.
> > >
> > > x_tables: ip_tables: osf match: only valid for protocol 6
> > > x_tables: ip_tables: osf match: only valid for protocol 6
> > > x_tables: ip_tables: osf match: only valid for protocol 6
> > > ------------[ cut here ]------------
> > > proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
> > > WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330 proc_register+0x2a4/0x370
> > > fs/proc/generic.c:329
> > > Kernel panic - not syncing: panic_on_warn set ...
> > >
> > > CPU: 1 PID: 4152 Comm: syzkaller851476 Not tainted 4.15.0+ #221
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:17 [inline]
> > > dump_stack+0x194/0x257 lib/dump_stack.c:53
> > > panic+0x1e4/0x41c kernel/panic.c:183
> > > __warn+0x1dc/0x200 kernel/panic.c:547
> > > report_bug+0x211/0x2d0 lib/bug.c:184
> > > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> > > fixup_bug arch/x86/kernel/traps.c:247 [inline]
> > > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> > > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> > > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1097
> > > RIP: 0010:proc_register+0x2a4/0x370 fs/proc/generic.c:329
> > > RSP: 0018:ffff8801cbd6ee20 EFLAGS: 00010286
> > > RAX: dffffc0000000008 RBX: ffff8801d2181038 RCX: ffffffff815a57ae
> > > RDX: 0000000000000000 RSI: 1ffff100397add74 RDI: 1ffff100397add49
> > > RBP: ffff8801cbd6ee70 R08: 1ffff100397add0b R09: 0000000000000000
> > > R10: ffff8801cbd6ecd8 R11: 0000000000000000 R12: ffff8801b2bb1cc0
> > > R13: dffffc0000000000 R14: ffff8801b0d8dbc8 R15: ffff8801b2bb1d81
> > > proc_create_data+0xf8/0x180 fs/proc/generic.c:494
> > > clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:250 [inline]
> >
> > I think there is probably a race condition between clusterip_config_entry_put()
> > and clusterip_config_init(), after we release the spinlock, a new proc
> > with the same IP could be created therefore triggers this warning....
> >
> > I am not sure if it is enough to just move the proc_remove() under
> > spinlock...
>
> I *think* we should change the order on proc fs entry creation,
> because clusterip_config_init() can race with itself,
> clusterip_config_init() returns NULL if the clusterip_config_init has
> no pte, and currently such entry is inserted into the list with NULL
> pte and the list lock itself is released before creating the PTE.
I was wrong. My suggested fix does not work at all.
I tried your code and it fixes the issue here.
Feel free to submit with:
Tested-by: Paolo Abeni <[email protected]>
Thank you,
Paolo