Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3856129imm; Mon, 20 Aug 2018 06:01:13 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzUZxD+UHfFB/kJN2vpEblFetuWvsFIriFLlI1uJQMeRNGfcvcqxuunTVaC9ZqKZSdtpwd1 X-Received: by 2002:a62:49cf:: with SMTP id r76-v6mr47393226pfi.235.1534770073582; Mon, 20 Aug 2018 06:01:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534770073; cv=none; d=google.com; s=arc-20160816; b=OQf1HUfiIlrg5+fM5ehVtpGWp7MZ+fNwG0H3Ut+wSuvP/J5Rk8jqZ+ex6cbtzogbic MaF79LlPLdr10ItbGx0D5kh1lHNSsmgnFKMOH+JpThklIxjSCi4ucnkFgTo9q0/HIlj2 lbcckzV7IHZIDx8CvSJqm6Wn9YCPC+CtQydD1QIjTtXizqhXmngncP602ufGOaKxKhrG CeV1eFXFDCCFEQ7hXgEpevUdiTdp0RxNjSQ4LEvJJyzlV/06Q72RrC56VvtZqhjCESyD Zkgh03ck+U7A5YWGrkyyOIroCHt42eXFvT02mBeLjjVD/tvo83BgJGegKxg2iDIiEhcz o80g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=bCVClx2CQDPIjBhOIlbSA4OBYEbyEqaZoKBHQH7EF9w=; b=KGHF5T7oHRknz+6hOuJ6WdkFvXayyPEJUANhTsEJP4nUFBvi4X5bwd/Tw5rg3cC4LP nle8OktOBlDOK7dZfmLFiJXZ/S8+wt3sosOSXZjmAvht5IKGnvJ1zmObyNADgJUMKeRg 0y19gUvbOPigRT19rO6h2utvst+7HzA+HEwSqo5NAoz78QhD713fx5CkCEDmZJDEolQo hoQsqRuPEQrCwU4toyTZfxCZNzKACLDkQWeGWfLkG3/PqQX0XxpKHL8W1dkcsL4i+a7D 7Ip5thXYDnRE7rsi5lIZCUbvOAnR3nAkdVP98IfxrTSclCVgjJkhxDZ1lReNs002TSoU /1Rg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v18-v6si9393054pgl.171.2018.08.20.06.00.57; Mon, 20 Aug 2018 06:01:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726900AbeHTQK5 (ORCPT + 99 others); Mon, 20 Aug 2018 12:10:57 -0400 Received: from ja.ssi.bg ([178.16.129.10]:38064 "EHLO ja.ssi.bg" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726712AbeHTQK5 (ORCPT ); Mon, 20 Aug 2018 12:10:57 -0400 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id w7KCtG3J005926; Mon, 20 Aug 2018 15:55:16 +0300 Date: Mon, 20 Aug 2018 15:55:16 +0300 (EEST) From: Julian Anastasov To: syzbot cc: ddstreet@ieee.org, dvyukov@google.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: unregister_netdevice: waiting for DEV to become free (2) In-Reply-To: <0000000000007d22100573d66078@google.com> Message-ID: References: <0000000000007d22100573d66078@google.com> User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Sun, 19 Aug 2018, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit: d7857ae43dcc Add linux-next specific files for 20180817 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=13c72fce400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=4b10cd1ea76bb092 > dashboard link: https://syzkaller.appspot.com/bug?extid=30209ea299c09d8785c9 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15df679a400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15242741400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com > > IPVS: stopping master sync thread 4657 ... > IPVS: stopping master sync thread 4663 ... > IPVS: sync thread started: state = MASTER, mcast_ifn = syz_tun, syncid = 0, id > IPVS: = 0 > IPVS: sync thread started: state = MASTER, mcast_ifn = syz_tun, syncid = 0, id > IPVS: = 0 > IPVS: stopping master sync thread 4664 ... > unregister_netdevice: waiting for lo to become free. Usage count = 1 Well, only IPVS and tun in the game? But IPVS does not take any dev references for sync threads. Can it be a problem in tun? For example, a side effects from dst_cache_reset? May be dst_release is called too late? Here is what should happen on unregistration: - NETDEV_UNREGISTER event: rt_flush_dev changes dst->dev with lo but dst is not released - ndo_uninit/ip_tunnel_uninit: dst_cache_reset is called which does nothing!?! May be dst_release call is needed here. - no more references are expected here ... - netdev_run_todo -> netdev_wait_allrefs: loop here due to refcnt!=0 - dev->priv_destructor (ip_tunnel_dev_free) calls dst_cache_destroy where dst_release is used but it is not reached because we loop in netdev_wait_allrefs above - dst_cache_destroy: really call dst_release In fact, after calling rt_flush_dev and replacing the dst->dev we should reach dev->priv_destructor (ip_tunnel_dev_free) for tun device where dst_release for lo should be called. But may be something prevents it, exit batching? Regards -- Julian Anastasov