Hello,
syzbot hit the following crash on net-next commit
65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
Merge branch 'tipc-de-generealize-topology-server'
So far this crash happened 25 times on net-next.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Not tainted 4.16.0-rc1+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 1 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at net/core/sock.c:2769
in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
5 locks held by kworker/u4:3/85:
#0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
#1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
#2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
net/core/net_namespace.c:494
#3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
net/core/net_namespace.c:496
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
spin_lock_bh include/linux/spinlock.h:315 [inline]
#4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
#230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
__might_sleep+0x95/0x190 kernel/sched/core.c:6081
lock_sock_nested+0x37/0x110 net/core/sock.c:2769
lock_sock include/net/sock.h:1463 [inline]
tipc_release+0x103/0xff0 net/tipc/socket.c:572
sock_release+0x8d/0x1e0 net/socket.c:594
tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
tipc_exit_net+0x15/0x40 net/tipc/core.c:96
ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
On Sat, Feb 17, 2018 at 4:00 AM, syzbot
<[email protected]> wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
> Merge branch 'tipc-de-generealize-topology-server'
+tipc maintainers
> So far this crash happened 25 times on net-next.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Not tainted 4.16.0-rc1+ #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 1 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
> IPVS: ftp: loaded support on port[0] = 21
> BUG: sleeping function called from invalid context at net/core/sock.c:2769
> in_atomic(): 1, irqs_disabled(): 0, pid: 85, name: kworker/u4:3
> 5 locks held by kworker/u4:3/85:
> #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000c9792deb>]
> process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084
> #1: (net_cleanup_work){+.+.}, at: [<00000000adc12e2a>]
> process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088
> #2: (net_sem){++++}, at: [<000000009ccb5669>] cleanup_net+0x23f/0xd20
> net/core/net_namespace.c:494
> #3: (net_mutex){+.+.}, at: [<00000000a92767d9>] cleanup_net+0xa7d/0xd20
> net/core/net_namespace.c:496
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> spin_lock_bh include/linux/spinlock.h:315 [inline]
> #4: (&(&srv->idr_lock)->rlock){+...}, at: [<000000001343e568>]
> tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685
> CPU: 0 PID: 85 Comm: kworker/u4:3 Tainted: G W 4.16.0-rc1+
> #230
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: netns cleanup_net
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
> __might_sleep+0x95/0x190 kernel/sched/core.c:6081
> lock_sock_nested+0x37/0x110 net/core/sock.c:2769
> lock_sock include/net/sock.h:1463 [inline]
> tipc_release+0x103/0xff0 net/tipc/socket.c:572
> sock_release+0x8d/0x1e0 net/socket.c:594
> tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696
> tipc_exit_net+0x15/0x40 net/tipc/core.c:96
> ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148
> cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529
> process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
> worker_thread+0x223/0x1990 kernel/workqueue.c:2247
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to [email protected].
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a1143e44e58485f05655fa8ae%40google.com.
> For more options, visit https://groups.google.com/d/optout.
On 17.02.2018 11:15, Dmitry Vyukov wrote:
> On Sat, Feb 17, 2018 at 4:00 AM, syzbot
> <[email protected]> wrote:
>> Hello,
>>
>> syzbot hit the following crash on net-next commit
>> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018 +0000)
>> Merge branch 'tipc-de-generealize-topology-server'
>
> +tipc maintainers
This looks to be caused by commit 0ef897be12b8
"tipc: separate topology server listener socket from subcsriber sockets"
Thanks,
Kirill
I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
How does the call chain you are reporting occur?
///jon
> -----Original Message-----
> From: Kirill Tkhai [mailto:[email protected]]
> Sent: Saturday, February 17, 2018 23:23
> To: Dmitry Vyukov <[email protected]>; syzbot
> <[email protected]>; Jon Maloy
> <[email protected]>; Ying Xue <[email protected]>
> Cc: Andrei Vagin <[email protected]>; David Miller
> <[email protected]>; Eric W. Biederman <[email protected]>;
> Florian Westphal <[email protected]>; LKML <[email protected]>;
> netdev <[email protected]>; Nicolas Dichtel
> <[email protected]>; [email protected]; syzkaller-
> [email protected]; [email protected]
> Subject: Re: BUG: sleeping function called from invalid context at
> net/core/sock.c:LINE (3)
>
> On 17.02.2018 11:15, Dmitry Vyukov wrote:
> > On Sat, Feb 17, 2018 at 4:00 AM, syzbot
> > <[email protected]> wrote:
> >> Hello,
> >>
> >> syzbot hit the following crash on net-next commit
> >> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018
> >> +0000) Merge branch 'tipc-de-generealize-topology-server'
> >
> > +tipc maintainers
>
> This looks to be caused by commit 0ef897be12b8
> "tipc: separate topology server listener socket from subcsriber sockets"
>
> Thanks,
> Kirill
On Mon, Feb 19, 2018 at 2:23 PM, Jon Maloy <[email protected]> wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
> How does the call chain you are reporting occur?
Hi Jon,
Please see the original syzbot report, it includes all known
information about the bug (including a reproducer program):
https://groups.google.com/forum/#!topic/syzkaller-bugs/jWAs6YWMp9g
>> -----Original Message-----
>> From: Kirill Tkhai [mailto:[email protected]]
>> Sent: Saturday, February 17, 2018 23:23
>> To: Dmitry Vyukov <[email protected]>; syzbot
>> <[email protected]>; Jon Maloy
>> <[email protected]>; Ying Xue <[email protected]>
>> Cc: Andrei Vagin <[email protected]>; David Miller
>> <[email protected]>; Eric W. Biederman <[email protected]>;
>> Florian Westphal <[email protected]>; LKML <[email protected]>;
>> netdev <[email protected]>; Nicolas Dichtel
>> <[email protected]>; [email protected]; syzkaller-
>> [email protected]; [email protected]
>> Subject: Re: BUG: sleeping function called from invalid context at
>> net/core/sock.c:LINE (3)
>>
>> On 17.02.2018 11:15, Dmitry Vyukov wrote:
>> > On Sat, Feb 17, 2018 at 4:00 AM, syzbot
>> > <[email protected]> wrote:
>> >> Hello,
>> >>
>> >> syzbot hit the following crash on net-next commit
>> >> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018
>> >> +0000) Merge branch 'tipc-de-generealize-topology-server'
>> >
>> > +tipc maintainers
>>
>> This looks to be caused by commit 0ef897be12b8
>> "tipc: separate topology server listener socket from subcsriber sockets"
>>
>> Thanks,
>> Kirill
On Mon, 2018-02-19 at 13:23 +0000, Jon Maloy wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged
> from a user doing rmmod(), and I double checked that this is running
> in user mode.
> How does the call chain you are reporting occur?
tipc_topsrv_stop() is called also at net namespace destruction time:
static void __net_exit tipc_exit_net(struct net *net)
{
tipc_topsrv_stop(net);
#...
I *think* the following should fix the issue, but I'm unsure if it's
safe.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
---
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 02013e00f287..63f35eae7236 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -693,9 +693,9 @@ void tipc_topsrv_stop(struct net *net)
}
__module_get(lsock->ops->owner);
__module_get(lsock->sk->sk_prot_creator->owner);
- sock_release(lsock);
srv->listener = NULL;
spin_unlock_bh(&srv->idr_lock);
+ sock_release(lsock);
tipc_topsrv_work_stop(srv);
idr_destroy(&srv->conn_idr);
kfree(srv);
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
[email protected]
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.
On 19.02.2018 16:23, Jon Maloy wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged from a user doing rmmod(), and I double checked that this is running in user mode.
> How does the call chain you are reporting occur?
>
In case of CONFIG_NET_NS=y, pernet_operations::exit() is called after last reference
to a net is dropped. So, this may happen not only on module unload path.
Kirill
>
>
>> -----Original Message-----
>> From: Kirill Tkhai [mailto:[email protected]]
>> Sent: Saturday, February 17, 2018 23:23
>> To: Dmitry Vyukov <[email protected]>; syzbot
>> <[email protected]>; Jon Maloy
>> <[email protected]>; Ying Xue <[email protected]>
>> Cc: Andrei Vagin <[email protected]>; David Miller
>> <[email protected]>; Eric W. Biederman <[email protected]>;
>> Florian Westphal <[email protected]>; LKML <[email protected]>;
>> netdev <[email protected]>; Nicolas Dichtel
>> <[email protected]>; [email protected]; syzkaller-
>> [email protected]; [email protected]
>> Subject: Re: BUG: sleeping function called from invalid context at
>> net/core/sock.c:LINE (3)
>>
>> On 17.02.2018 11:15, Dmitry Vyukov wrote:
>>> On Sat, Feb 17, 2018 at 4:00 AM, syzbot
>>> <[email protected]> wrote:
>>>> Hello,
>>>>
>>>> syzbot hit the following crash on net-next commit
>>>> 65bd449c32c2745df61913ab54087e77f9d9b70d (Fri Feb 16 20:26:35 2018
>>>> +0000) Merge branch 'tipc-de-generealize-topology-server'
>>>
>>> +tipc maintainers
>>
>> This looks to be caused by commit 0ef897be12b8
>> "tipc: separate topology server listener socket from subcsriber sockets"
>>
>> Thanks,
>> Kirill