Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3234392pxb; Mon, 18 Oct 2021 10:50:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzz1M4jkefsmsfbiuRrLjDG7tYD1g5ZKD1mFKbVd2+FtrhwgkHM627MA1RaI5sl8F1Y8aLD X-Received: by 2002:a17:907:7752:: with SMTP id kx18mr31639174ejc.276.1634579403791; Mon, 18 Oct 2021 10:50:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634579403; cv=none; d=google.com; s=arc-20160816; b=jpv+czCFS/Pv6+BA+34EgVnMUA9x7T3d79kHf8k3vLnSjajo2Xkrm+FgecDiLjdHS1 Gxiro9RIL3tNleBaU6jeA+MN2d/oLkEKoq6lQxsv32Jwhed08ubrS+cV7lJvjfIaWyAL AnGTPTS3PHSOqAkPnQxhwO483pU9RpSEsjaG2QegRR1kTS5jKKw453Y5Azh+U3d7JTbJ YZTUbKUczkbQU2bAfg9D7qjbVVNRtAiCOFdz36L0GSt1C7qQllX6GKhxZYRvvLm9fsr4 ew2dTvoZ0rkdYGCnsfsWnTvcgz5omuuk5DDyW0C98r0uXHru0oDGhi/VRR+89fWJNg38 9ptg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:from; bh=CerWgq2vgcnNSofoRUARF5o5zKh2iKuMYapfYOJ50IU=; b=d2jV1vjlqydB3Z9lAHoIHvnhaec4b+yKqMWmV7+KMDvRppNGLEu17SYZTTCbso8teT C+9EEYgW2RFMAJxZQ9cY47bysmvcTjWOgNGIqg/V963mgOnANd3ywnPGp2N5oEkzMkSh GWyNkQbhQhnBK7V57yAQfIiD/2UUfo5dRomAFBxyjjCPMJcdFaYvShp8CZiQyW3QE9wy m3k68W1KhJzz97ZNPgC8bF685c8v4xjBDlz2/zAiUM8Oowxl6jxCkmblqna/fP3bSpIL zLRuOulrRk8Q9Gth7e+Fn8OLqpgIX6CHDds+C5jDfW3tifkcIsQ1yVxJvielO4coGh5E l2JQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=xKbLdwwt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v8si22587832ejy.617.2021.10.18.10.49.40; Mon, 18 Oct 2021 10:50:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=xKbLdwwt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234186AbhJRRtx (ORCPT + 99 others); Mon, 18 Oct 2021 13:49:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234155AbhJRRtw (ORCPT ); Mon, 18 Oct 2021 13:49:52 -0400 X-Greylist: delayed 417 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 18 Oct 2021 10:47:41 PDT Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0810EC061745; Mon, 18 Oct 2021 10:47:40 -0700 (PDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1634578840; bh=FVM/cjw4IBkLaXSB40QytfJFa5MUoqqQ7l3nk9AgC3I=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=xKbLdwwt5RszbRAxplVhNJWjebgIvvIsPRXd/VOlCoLkrLCS8bySl4O14YbA73KAN eREHNsU5xctMI5Rl7DP3Hi9/tn0Oz3sqbm/hgMH/0cn6ODeXZTYUTrvr+jVaLqhBeW ydpVLaXuBaweLDwzDRFdJgOfWkYixdE1GEZDvyUDIs6HfGDAMcPtF31K/kBLhcwCx/ 6l0Ze5QxWKTK5FeU6TrLxrLqXjwslIr7rQvoI/8YnkwsmhB17Ge9GNoWFOMUgw2Xma VWVy+xO3JY+P64uSG+lLM98ZI6aRc5Tm6eM98wxXfNkF9Lt0SCdg2VGJcZOxjTjFVy LIg7R3hwQCn8g== To: Jakub Kicinski , Vlad Buslov Cc: Paolo Abeni , Daniel Borkmann , syzbot , andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, davem@davemloft.net, hawk@kernel.org, john.fastabend@gmail.com, kafai@fb.com, kpsingh@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, songliubraving@fb.com, syzkaller-bugs@googlegroups.com, yhs@fb.com, joamaki@gmail.com, Saeed Mahameed , Maxim Mikityanskiy Subject: Re: [syzbot] BUG: corrupted list in netif_napi_add In-Reply-To: <20211018084201.4c7e5be1@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> References: <0000000000005639cd05ce3a6d4d@google.com> <20211018084201.4c7e5be1@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> Date: Mon, 18 Oct 2021 19:40:40 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87lf2qi63r.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jakub Kicinski writes: > On Mon, 18 Oct 2021 17:04:19 +0300 Vlad Buslov wrote: >> We got a use-after-free with very similar trace [0] during nightly >> regression. The issue happens when ip link up/down state is flipped >> several times in loop and doesn't reproduce for me manually. The fact >> that it didn't reproduce for me after running test ten times suggests >> that it is either very hard to reproduce or that it is a result of some >> interaction between several tests in our suite. >> >> [0]: >> >> [ 3187.779569] mlx5_core 0000:08:00.0 enp8s0f0: Link up >> [ 3187.890694] ================================================================== >> [ 3187.892518] BUG: KASAN: use-after-free in __list_add_valid+0xc3/0xf0 >> [ 3187.894132] Read of size 8 at addr ffff8881150b3fb8 by task ip/119618 > > Hm, not sure how similar it is. This one looks like channel was freed > without deleting NAPI. Do you have list debug enabled? Well, the other report[0] also kinda looks like the NAPI thread keeps running after it should have been disabled, so maybe they are in fact related? -Toke [0] https://lore.kernel.org/r/000000000000c1524005cdeacc5f@google.com