Received: by 10.223.176.5 with SMTP id f5csp26905wra; Thu, 1 Feb 2018 14:58:24 -0800 (PST) X-Google-Smtp-Source: AH8x224YyyeTeHLwOP9gKReCeR+3DWe+7ljelbqz+6WOPqr+z5GcQWCS/c4hWoUEYmSwwfRCH9U8 X-Received: by 10.98.28.80 with SMTP id c77mr3950183pfc.24.1517525904734; Thu, 01 Feb 2018 14:58:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517525904; cv=none; d=google.com; s=arc-20160816; b=san27cwgsMBRX3y5eN5FLxjtKCMestRrbheSmQLU50l+lI3ko0FAEUa9/kReLW5l0V 9WWuVGcT6ahaRHo2Z/I0fvIJUJvZOWrUz9SBpfPcuW4UG1vwq9V7IaDqD6zTVWnenlxE s7JlmZco9niRWeBmHi7mshKnIsGY+MAOi755DAdYh1AkdzTny5rKGR3gOGa8N1no/7Fv 6TcE0w1cXmlE+JGjEgg1ge9rAdmqTWhfnzzWQWSikgwCIqsSyZiwyUpzTQyuCDbxjWj6 QcRXzERAQLkSIakiQfFBTtxR46Y07szxip9nVA8KDUMVtL+di8b1vy7CoVGysx3dDKt9 d8mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=+wTj6+V6kzbZMawuBOZiVnb2G1JBWv3Fg3wa9EmR8G0=; b=zCSRI48JZRRWEvWsyTFSeE/kg90NU9/kzIPOEUAPbaCsRLLwhwNg82aLUdVhyNd2VM PG1ZC8Ey4J6TjPe6LK20ALPkpaPOgW+TlZ24mAvCb6FfJnYkMOTeD0cOowUwu7bxkeZI 8aLG75YGd96DIJrIUUt+mNgYzWUj/NGj5j3iV5pQVuZsPKNHpp1Mg8EsHkPJpMxXWLxe SQpetzV6j4AtibinsU/xAm8WKFbJmgE6x7Pb9Dedisz3kxcTkz/9bpra/sar/it4eblJ eBA5laYkVoWV8+SfL0YRt9DGXhu5zTEGwzhUVQ15XyKrW7ETl2CBSiu8rTqgwEPNJgW/ EAoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ldSJx5Ze; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16si493016pfh.4.2018.02.01.14.58.09; Thu, 01 Feb 2018 14:58:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ldSJx5Ze; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752280AbeBAW46 (ORCPT + 99 others); Thu, 1 Feb 2018 17:56:58 -0500 Received: from mail-io0-f195.google.com ([209.85.223.195]:45977 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752242AbeBAW4v (ORCPT ); Thu, 1 Feb 2018 17:56:51 -0500 Received: by mail-io0-f195.google.com with SMTP id p188so20957008ioe.12; Thu, 01 Feb 2018 14:56:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=+wTj6+V6kzbZMawuBOZiVnb2G1JBWv3Fg3wa9EmR8G0=; b=ldSJx5ZeahlLofetkMY/Y8l2FwNqJI/tsWsv0V9WP14jU67tJN9zirrnkOnqCN6zxS XEBiAPMaY6qH9rH3zok9N9B/fNDyAJnw6VNtsk8P+F5X0IFSpQx8ZukcxHX+1Akw2f8y +9JMo4Gd0gZYMWaKWbS+2ZrbqSaTIpp3iR/J6/dQ9IANZ04F9NpHY6rhXnE5eoXbccVI gs8G1ZYs40pOZlFRC4mHlhYFanwrsksApZApIsQJG8UJx3rwYNAd/GTpyiGGKFBnw+Rr N4dErodya7h7XvhQhoSqbjpVbYMP0mBpw5WI2XSiVUypFA2D7LFTNQOzW1uxcaptGd// qq5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=+wTj6+V6kzbZMawuBOZiVnb2G1JBWv3Fg3wa9EmR8G0=; b=BEK6sgqG785QF5nyaUldgnkLqTLuRGpLPw6h6Bk+fqUjThgfnXTmscTCmmvYhyITLS A/P/MVn5fgFjgwFxIh45lFWHP/BDzASE0flMXAsWmwKpuCncoN2HgtgrbNSXp+3HQNIa ZZG8emG/U5xsTMr3oNMSt5OeyRQzFm897AcD4ADZ46Md8NKkyr2Tw/7/55VqZoVFXJYD fJSDFAvaEuEs25iA9pMvprsJFvn5wumY+G3n3Nj1h6YJGj2GPeVdLdB4eAFgX56gWSnw E91dJBTZZJ7xIr+RLxBw5NpwqM5oNDv4YpWmZXvHes2XnUI44gYJVq2CJ2U6ZKebBURy 8EdQ== X-Gm-Message-State: AKwxytdZZ4QFX77voUYU0O3MQ8RgGp9yI0GFurYYfpNRBfgBWtkSujgo OCQBFFIX7Pdn9wN6hF7LdB4= X-Received: by 10.107.147.87 with SMTP id v84mr27049452iod.293.1517525808883; Thu, 01 Feb 2018 14:56:48 -0800 (PST) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id j3sm368208iob.14.2018.02.01.14.56.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 01 Feb 2018 14:56:48 -0800 (PST) Date: Thu, 1 Feb 2018 14:56:46 -0800 From: Eric Biggers To: weiwan@google.com Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org, syzbot Subject: Re: suspicious RCU usage at net/ipv6/ip6_fib.c:LINE Message-ID: <20180201225646.dbug5oh3vupjrpy4@gmail.com> References: <001a113c0b987a17160561d3de01@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001a113c0b987a17160561d3de01@google.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +weiwan@google.com On Tue, Jan 02, 2018 at 03:58:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6bb8824732f69de0f233ae6b1a8158e149627b38 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is attached > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+bca7109dba5d86cb0209@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > > ============================= > WARNING: suspicious RCU usage > 4.15.0-rc5+ #171 Not tainted > ----------------------------- > net/ipv6/ip6_fib.c:1702 suspicious rcu_dereference_protected() usage! > > other info that might help us debug this: > > > rcu_scheduler_active = 2, debug_locks = 1 > 4 locks held by swapper/0/0: > #0: ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<00000000d43f631b>] > lockdep_copy_map include/linux/lockdep.h:178 [inline] > #0: ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<00000000d43f631b>] > call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1310 > #1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<000000002ff9d65c>] > spin_lock_bh include/linux/spinlock.h:315 [inline] > #1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<000000002ff9d65c>] > fib6_run_gc+0x9d/0x3c0 net/ipv6/ip6_fib.c:2007 > #2: (rcu_read_lock){....}, at: [<0000000091db762d>] > __fib6_clean_all+0x0/0x3a0 net/ipv6/ip6_fib.c:1560 > #3: (&(&tb->tb6_lock)->rlock){+.-.}, at: [<000000009e503581>] spin_lock_bh > include/linux/spinlock.h:315 [inline] > #3: (&(&tb->tb6_lock)->rlock){+.-.}, at: [<000000009e503581>] > __fib6_clean_all+0x1d0/0x3a0 net/ipv6/ip6_fib.c:1948 > > stack backtrace: > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.15.0-rc5+ #171 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 > fib6_del+0xcaa/0x11b0 net/ipv6/ip6_fib.c:1701 > fib6_clean_node+0x3aa/0x4f0 net/ipv6/ip6_fib.c:1892 > fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1815 > fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1863 > fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1933 > __fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1949 > fib6_clean_all net/ipv6/ip6_fib.c:1960 [inline] > fib6_run_gc+0x16b/0x3c0 net/ipv6/ip6_fib.c:2016 > fib6_gc_timer_cb+0x20/0x30 net/ipv6/ip6_fib.c:2033 > call_timer_fn+0x228/0x820 kernel/time/timer.c:1320 > expire_timers kernel/time/timer.c:1357 [inline] > __run_timers+0x7ee/0xb70 kernel/time/timer.c:1660 > run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686 > __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 > invoke_softirq kernel/softirq.c:365 [inline] > irq_exit+0x1cc/0x200 kernel/softirq.c:405 > exiting_irq arch/x86/include/asm/apic.h:540 [inline] > smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 > apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:904 > > RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54 > RSP: 0018:ffffffff86407c38 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11 > RAX: dffffc0000000000 RBX: 1ffffffff0c80f8a RCX: 0000000000000000 > RDX: 1ffffffff0c99048 RSI: 0000000000000001 RDI: ffffffff864c8240 > RBP: ffffffff86407c38 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: ffffffff86407cf0 R14: ffffffff86c329a0 R15: 0000000000000000 > arch_safe_halt arch/x86/include/asm/paravirt.h:93 [inline] > default_idle+0xbf/0x460 arch/x86/kernel/process.c:355 > arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:346 > default_idle_call+0x36/0x90 kernel/sched/idle.c:98 > cpuidle_idle_call kernel/sched/idle.c:156 [inline] > do_idle+0x24a/0x3b0 kernel/sched/idle.c:246 > cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:351 > rest_init+0xed/0xf0 init/main.c:435 > start_kernel+0x7f1/0x819 init/main.c:713 > x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 > x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 > secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 Wei, was this meant to have been fixed by commit 4512c43eac7e00 ("ipv6: remove null_entry before adding default route")? This crash actually still occurred on net-next as recently as 43df215d99e604 (Jan 25) which included your fix. I will go ahead and mark this bug fixed, but syzbot will send a new report if it hits it again. #syz fix: ipv6: remove null_entry before adding default route - Eric