Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4251488pxb; Mon, 25 Oct 2021 00:05:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy93ly5EAM2ZFwfOiRd8c1NdB8LbM7DjaR0YtkNzeNvbron7GxSg8X3j7CtwOnSDpeJSeiD X-Received: by 2002:a17:907:98f7:: with SMTP id ke23mr15458883ejc.45.1635145508386; Mon, 25 Oct 2021 00:05:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635145508; cv=none; d=google.com; s=arc-20160816; b=h1ou6hRKDBRvooMIiYjXMIYpQN+6RjeZmj78prXUrMKsKADndloKsb3c2wdq6NkQdE RnwP9V8tnwaiMn78UWF6G+RZIP4MrxlebTBoPdERn2M+ynhk0JMwHP5dlQqZ6Wi1Dwkv PlnE5yw3D5uY1Cb3QSNS6rwxHb//YrPovqkhFRC/fodrPreAeJuZ5pK3v6tyunKX4vcH 7AuRPC1qkVyzyiYsL+KsM5yawh5G6ruTYf3yoKpmgutMsb1WroHuU29i1PEPGVDjUHkc ync+nbAlgcl4xYr4CjyJtgY6XQTGWZ5Qy3dr6JdIerCQCKNwFnF908zgFGg7w7c1fCuP +euw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=QtbxxL5xWsbb0lJZBIddGXYZrUOk6PWRSUdCvUB5GL0=; b=Wu0HLhvR/gRe4ocIHHkpdEdiAMo56Xqj3KtsZs8Fhtw9VEQ8+HKPW1VGWS3g1G5Uvt i+LukW83rUKlNB7fld9YAep1rKFEGovLz5SbG9QvXsQPXl9g5L+BSXaJBtO1WqLb93lS kux4uJRrSDd8pTxVrjzqG8aU3BiI621AYGbJZZ3uPsJEgFTRsmvAQfMOjMB+N+ubBDVL 2Db9HX2cAS+YrsLtpnws2y2GF2Gho5ywxEKl0TGBwZ4JWtyVsueXUrk5q9sTlPyKRly7 cLbnTVAcZsEi8n3pqNN/koA5JSVqgKbvgDsboZVHROGS1F0zX+/ykCI3v3XKvu80wlQ2 hUiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=K5KD0Bu2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w11si20297271ejq.513.2021.10.25.00.04.43; Mon, 25 Oct 2021 00:05:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=K5KD0Bu2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230236AbhJYGoV (ORCPT + 99 others); Mon, 25 Oct 2021 02:44:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229850AbhJYGoU (ORCPT ); Mon, 25 Oct 2021 02:44:20 -0400 Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCCFBC061745 for ; Sun, 24 Oct 2021 23:41:58 -0700 (PDT) Received: by mail-oi1-x230.google.com with SMTP id o83so14207928oif.4 for ; Sun, 24 Oct 2021 23:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QtbxxL5xWsbb0lJZBIddGXYZrUOk6PWRSUdCvUB5GL0=; b=K5KD0Bu2HF1wbE/u5pU1GG3fKo/iw0XB3s7M0WT+NWeU0kDPUMXoqRhgsvgkJWoUvO WdfmMbTO0L3A6gfj5RKuwdFViNUxSFAt0JXP7J+zyhd8PkrW8LeRrt844xgioJjrYWKt HW0GnipcUd0zOTxzmi6u0NfFafImoOLGtV/BiSA7NLJ2AYsNIhoyM5gK615VD3kbX2M+ n+r4AQn/iu9wXSJhWQVoVdm0LhZNnIeU41I4TWLy4fczW2wrJGGNCKhzZ4NjxVX0Z5EX sCYw1FA1jEDCoe8gi+ZHRY821MjRXgipWoG1OWQe8puKZWM1VEd16HsWItAKYcvdLixX gnUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QtbxxL5xWsbb0lJZBIddGXYZrUOk6PWRSUdCvUB5GL0=; b=Je1vJyuqwvZx7+pfeVjiWM1rh85p5cXI9MkT+qEact0QMEFxBvI72TNCfoMLI5YfwK bpgKOQ0GNO6FcKdXrFk6dcIYBgzyBzbIZqN9SnSnigK6QLv/8mcAhDWXLBZi06rfCOq/ 7IC+qnKW5McGg4HeJZ9fszwnxGbnXwYlL62K6STmMFgsrzt5sOPNoTEzLYj1yxFbg0WY UEBJaAIPsh1aKSs2pE3RlqDETbrpU2ujbcOwzT7gdX2aKlA3AjmFao+L4lGByl3HgyZk HXuP8vfnaNhdnoIbgrJs0llr6oSZNJJG55SbQ0tVCki1pstTiIAI3Pt7FIQKlXQ7x9F6 V0Iw== X-Gm-Message-State: AOAM5334BmXQ2b8H35JosZaM8Y1Zwp7Dk1isTRhm6ANAWIVDee+3vwfq 3AhqPMwlAZ4vqtQibO+KNwrjBU4NJJBUaW9hiakSHg== X-Received: by 2002:a05:6808:ec9:: with SMTP id q9mr20777745oiv.160.1635144117766; Sun, 24 Oct 2021 23:41:57 -0700 (PDT) MIME-Version: 1.0 References: <0000000000005639cd05ce3a6d4d@google.com> <20211023134458.1136-1-hdanton@sina.com> In-Reply-To: <20211023134458.1136-1-hdanton@sina.com> From: Dmitry Vyukov Date: Mon, 25 Oct 2021 08:41:46 +0200 Message-ID: Subject: Re: [syzbot] BUG: corrupted list in netif_napi_add To: Hillf Danton Cc: Vlad Buslov , Paolo Abeni , Daniel Borkmann , syzbot , LKML , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 23 Oct 2021 at 15:45, Hillf Danton wrote: > > On Mon, 18 Oct 2021 17:04:19 +0300 Vlad Buslov wrote: > >On Thu 14 Oct 2021 at 16:50, Paolo Abeni wrote: > >> On Wed, 2021-10-13 at 15:35 +0200, Daniel Borkmann wrote: > >>> On 10/13/21 1:40 PM, syzbot wrote: > >>> > Hello, > >>> > > >>> > syzbot found the following issue on: > >>> > >>> [ +Paolo/Toke wrt veth/XDP, +Jussi wrt bond/XDP, please take a look, thanks! ] > >> > >> For the records: Toke and me are actively investigating this issue and > >> the other recent related one. So far we could not find anything > >> relevant. > >> > >> The onluy note is that the reproducer is not extremelly reliable - I > >> could not reproduce locally, and multiple syzbot runs on the same code > >> give different results. Anyhow, so far the issue was only observerable > >> on a specific 'next' commit which is currently "not reachable" from any > >> branch. I'm wondering if the issue was caused by some incosistent > >> status of such tree. > > > >Hi, > > > >We got a use-after-free with very similar trace [0] during nightly > >regression. The issue happens when ip link up/down state is flipped > >several times in loop and doesn't reproduce for me manually. The fact > >that it didn't reproduce for me after running test ten times suggests > >that it is either very hard to reproduce or that it is a result of some > >interaction between several tests in our suite. > > > >[0]: > > > >[ 3187.779569] mlx5_core 0000:08:00.0 enp8s0f0: Link up > > [ 3187.890694] ================================================================== > > [ 3187.892518] BUG: KASAN: use-after-free in __list_add_valid+0xc3/0xf0 > > [ 3187.894132] Read of size 8 at addr ffff8881150b3fb8 by task ip/119618 > > [ 3187.895683] > > [ 3187.896209] CPU: 0 PID: 119618 Comm: ip Not tainted 5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1 > > [ 3187.898445] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > > [ 3187.901075] Call Trace: > > [ 3187.901858] dump_stack_lvl+0x57/0x7d > > [ 3187.902899] print_address_description.constprop.0+0x1f/0x140 > > [ 3187.904346] ? __list_add_valid+0xc3/0xf0 > > [ 3187.905439] ? __list_add_valid+0xc3/0xf0 > > [ 3187.906565] kasan_report.cold+0x83/0xdf > > [ 3187.907619] ? __list_add_valid+0xc3/0xf0 > > [ 3187.908693] __list_add_valid+0xc3/0xf0 > > [ 3187.909765] netif_napi_add+0x399/0x9a0 > > [ 3187.910794] ? kmalloc_order_trace+0x6a/0x120 > > [ 3187.911944] mlx5e_open_channels+0x91b/0x2e10 [mlx5_core] > > [ 3187.913872] ? rwlock_bug.part.0+0x90/0x90 > > [ 3187.914959] ? mlx5e_close_cq+0x80/0x80 [mlx5_core] > > [ 3187.916584] ? mutex_is_locked+0x13/0x50 > > [ 3187.917703] mlx5e_open_locked+0x6a/0x1f0 [mlx5_core] > > [ 3187.919368] mlx5e_open+0x35/0xb0 [mlx5_core] > > [ 3187.920863] __dev_open+0x22f/0x420 > > [ 3187.921852] ? dev_set_rx_mode+0x80/0x80 > > [ 3187.922920] ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core] > > [ 3187.924866] ? __local_bh_enable_ip+0xa2/0x100 > > [ 3187.926148] ? trace_hardirqs_on+0x32/0x120 > > [ 3187.927270] __dev_change_flags+0x451/0x670 > > [ 3187.928387] ? dev_set_allmulti+0x10/0x10 > > [ 3187.929480] ? rtnl_fill_vfinfo+0x936/0xdb0 > > [ 3187.930592] dev_change_flags+0x8b/0x150 > > [ 3187.931651] do_setlink+0x820/0x2d60 > > [ 3187.932631] ? rtnetlink_put_metrics+0x490/0x490 > > [ 3187.933852] ? lock_release+0x460/0x750 > > [ 3187.934881] ? kvm_async_pf_task_wake+0x410/0x410 > > [ 3187.936122] ? lock_downgrade+0x6e0/0x6e0 > > [ 3187.937203] ? do_raw_spin_unlock+0x54/0x220 > > [ 3187.938351] ? memset+0x20/0x40 > > [ 3187.939246] ? __nla_validate_parse+0xb2/0x22c0 > > [ 3187.940426] ? do_raw_spin_lock+0x126/0x270 > > [ 3187.941568] ? push_cpu_stop+0x830/0x830 > > [ 3187.942638] ? rwlock_bug.part.0+0x90/0x90 > > [ 3187.943733] ? devlink_compat_switch_id_get+0xbb/0x100 > > [ 3187.945065] ? nla_get_range_signed+0x540/0x540 > > [ 3187.946272] ? memcpy+0x39/0x60 > > [ 3187.947162] ? memset+0x20/0x40 > > [ 3187.948058] ? memset+0x20/0x40 > > [ 3187.948943] __rtnl_newlink+0xac0/0x1370 > > [ 3187.950038] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3187.951380] ? rtnl_setlink+0x330/0x330 > > [ 3187.952417] ? deref_stack_reg+0x160/0x160 > > [ 3187.953534] ? deref_stack_reg+0xe6/0x160 > > [ 3187.954619] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3187.955848] ? lock_release+0x460/0x750 > > [ 3187.956886] ? is_bpf_text_address+0x54/0x110 > > [ 3187.958047] ? lock_downgrade+0x6e0/0x6e0 > > [ 3187.959133] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3187.960469] ? deref_stack_reg+0x160/0x160 > > [ 3187.961592] ? is_bpf_text_address+0x73/0x110 > > [ 3187.962759] ? kernel_text_address+0xda/0x100 > > [ 3187.963920] ? __kernel_text_address+0xe/0x30 > > [ 3187.965069] ? unwind_get_return_address+0x56/0xa0 > > [ 3187.966334] ? __thaw_task+0x70/0x70 > > [ 3187.967320] ? arch_stack_walk+0x98/0xf0 > > [ 3187.968405] ? lock_downgrade+0x6e0/0x6e0 > > [ 3187.969510] ? trace_hardirqs_on+0x32/0x120 > > [ 3187.970644] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3187.971883] rtnl_newlink+0x5f/0x90 > > [ 3187.972866] rtnetlink_rcv_msg+0x32b/0x950 > > [ 3187.973968] ? deref_stack_reg+0x160/0x160 > > [ 3187.975088] ? rtnl_fdb_dump+0x830/0x830 > > [ 3187.976160] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3187.977393] ? lock_acquire+0x38d/0x4c0 > > [ 3187.978443] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3187.979685] ? lock_acquire+0x38d/0x4c0 > > [ 3187.980733] netlink_rcv_skb+0x11d/0x340 > > [ 3187.981812] ? rtnl_fdb_dump+0x830/0x830 > > [ 3187.982862] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3187.984105] ? netlink_ack+0x930/0x930 > > [ 3187.985136] ? netlink_deliver_tap+0x140/0xb10 > > [ 3187.986316] ? netlink_deliver_tap+0x14c/0xb10 > > [ 3187.987495] ? _copy_from_iter+0x282/0xbe0 > > [ 3187.988597] netlink_unicast+0x433/0x700 > > [ 3187.989693] ? netlink_attachskb+0x740/0x740 > > [ 3187.990819] ? __alloc_skb+0x117/0x2c0 > > [ 3187.991855] netlink_sendmsg+0x707/0xbf0 > > [ 3187.992921] ? netlink_unicast+0x700/0x700 > > [ 3187.994024] ? netlink_unicast+0x700/0x700 > > [ 3187.995121] sock_sendmsg+0xb0/0xe0 > > [ 3187.996091] ____sys_sendmsg+0x4fa/0x6d0 > > [ 3187.997163] ? iovec_from_user+0x136/0x280 > > [ 3187.998276] ? kernel_sendmsg+0x30/0x30 > > [ 3188.012806] ? __import_iovec+0x51/0x610 > > [ 3188.013858] ___sys_sendmsg+0x12e/0x1b0 > > [ 3188.014875] ? do_recvmmsg+0x500/0x500 > > [ 3188.015877] ? get_max_files+0x10/0x10 > > [ 3188.016866] ? kasan_record_aux_stack+0xab/0xc0 > > [ 3188.018108] ? call_rcu+0x87/0xd40 > > [ 3188.019041] ? task_work_run+0xc5/0x160 > > [ 3188.020044] ? exit_to_user_mode_prepare+0x1d9/0x1e0 > > [ 3188.021271] ? syscall_exit_to_user_mode+0x19/0x50 > > [ 3188.022563] ? do_syscall_64+0x4a/0x90 > > [ 3188.023559] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.024858] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.026121] ? lock_release+0x460/0x750 > > [ 3188.027174] ? mntput_no_expire+0x113/0xb40 > > [ 3188.028302] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.029398] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.030555] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.031812] ? mntput_no_expire+0x132/0xb40 > > [ 3188.032940] ? __fget_light+0x51/0x220 > > [ 3188.033986] __sys_sendmsg+0xa4/0x120 > > [ 3188.034992] ? __sys_sendmsg_sock+0x20/0x20 > > [ 3188.036115] ? call_rcu+0x543/0xd40 > > [ 3188.037084] ? syscall_enter_from_user_mode+0x1d/0x50 > > [ 3188.038406] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.039515] do_syscall_64+0x3d/0x90 > > [ 3188.040502] entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.041896] RIP: 0033:0x7f904ec94c17 > > [ 3188.042891] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 > > [ 3188.047412] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > > [ 3188.049361] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17 > > [ 3188.051121] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003 > > [ 3188.052881] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40 > > [ 3188.054645] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001 > > [ 3188.056403] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520 > > [ 3188.058189] > > [ 3188.058732] The buggy address belongs to the page: > > [ 3188.059996] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3 > > [ 3188.062378] flags: 0x8000000000000000(zone=2) > > [ 3188.063551] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 > > [ 3188.065548] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > [ 3188.067518] page dumped because: kasan: bad access detected > > [ 3188.068930] > > [ 3188.069481] Memory state around the buggy address: > > [ 3188.070730] ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.072618] ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.074508] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.076378] ^ > > [ 3188.077711] ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.079584] ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.081470] ================================================================== > > [ 3188.083406] ================================================================== > > [ 3188.085280] BUG: KASAN: use-after-free in netif_napi_add+0x8b7/0x9a0 > > [ 3188.086952] Write of size 8 at addr ffff8881150b3fb8 by task ip/119618 > > [ 3188.089181] > > [ 3188.089987] CPU: 0 PID: 119618 Comm: ip Tainted: G B 5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1 > > [ 3188.092659] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > > [ 3188.095481] Call Trace: > > [ 3188.096222] dump_stack_lvl+0x57/0x7d > > [ 3188.097238] print_address_description.constprop.0+0x1f/0x140 > > [ 3188.098764] ? netif_napi_add+0x8b7/0x9a0 > > [ 3188.099862] ? netif_napi_add+0x8b7/0x9a0 > > [ 3188.100940] kasan_report.cold+0x83/0xdf > > [ 3188.102041] ? netif_napi_add+0x8b7/0x9a0 > > [ 3188.103140] netif_napi_add+0x8b7/0x9a0 > > [ 3188.104180] ? kmalloc_order_trace+0x6a/0x120 > > [ 3188.105336] mlx5e_open_channels+0x91b/0x2e10 [mlx5_core] > > [ 3188.107145] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.108238] ? mlx5e_close_cq+0x80/0x80 [mlx5_core] > > [ 3188.109882] ? mutex_is_locked+0x13/0x50 > > [ 3188.110985] mlx5e_open_locked+0x6a/0x1f0 [mlx5_core] > > [ 3188.112644] mlx5e_open+0x35/0xb0 [mlx5_core] > > [ 3188.114215] __dev_open+0x22f/0x420 > > [ 3188.115186] ? dev_set_rx_mode+0x80/0x80 > > [ 3188.116247] ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core] > > [ 3188.118252] ? __local_bh_enable_ip+0xa2/0x100 > > [ 3188.119438] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.120554] __dev_change_flags+0x451/0x670 > > [ 3188.121705] ? dev_set_allmulti+0x10/0x10 > > [ 3188.122828] ? rtnl_fill_vfinfo+0x936/0xdb0 > > [ 3188.123943] dev_change_flags+0x8b/0x150 > > [ 3188.124995] do_setlink+0x820/0x2d60 > > [ 3188.126023] ? rtnetlink_put_metrics+0x490/0x490 > > [ 3188.127233] ? lock_release+0x460/0x750 > > [ 3188.128269] ? kvm_async_pf_task_wake+0x410/0x410 > > [ 3188.129502] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.130620] ? do_raw_spin_unlock+0x54/0x220 > > [ 3188.131781] ? memset+0x20/0x40 > > [ 3188.132663] ? __nla_validate_parse+0xb2/0x22c0 > > [ 3188.133894] ? do_raw_spin_lock+0x126/0x270 > > [ 3188.135066] ? push_cpu_stop+0x830/0x830 > > [ 3188.136136] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.137230] ? devlink_compat_switch_id_get+0xbb/0x100 > > [ 3188.138585] ? nla_get_range_signed+0x540/0x540 > > [ 3188.139780] ? memcpy+0x39/0x60 > > [ 3188.140683] ? memset+0x20/0x40 > > [ 3188.141580] ? memset+0x20/0x40 > > [ 3188.142517] __rtnl_newlink+0xac0/0x1370 > > [ 3188.143579] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.144914] ? rtnl_setlink+0x330/0x330 > > [ 3188.145974] ? deref_stack_reg+0x160/0x160 > > [ 3188.147078] ? deref_stack_reg+0xe6/0x160 > > [ 3188.148157] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.149378] ? lock_release+0x460/0x750 > > [ 3188.150490] ? is_bpf_text_address+0x54/0x110 > > [ 3188.151648] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.152725] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.154075] ? deref_stack_reg+0x160/0x160 > > [ 3188.155176] ? is_bpf_text_address+0x73/0x110 > > [ 3188.156353] ? kernel_text_address+0xda/0x100 > > [ 3188.157510] ? __kernel_text_address+0xe/0x30 > > [ 3188.158707] ? unwind_get_return_address+0x56/0xa0 > > [ 3188.159992] ? __thaw_task+0x70/0x70 > > [ 3188.160979] ? arch_stack_walk+0x98/0xf0 > > [ 3188.162072] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.163167] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.164295] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.165546] rtnl_newlink+0x5f/0x90 > > [ 3188.166558] rtnetlink_rcv_msg+0x32b/0x950 > > [ 3188.167677] ? deref_stack_reg+0x160/0x160 > > [ 3188.168782] ? rtnl_fdb_dump+0x830/0x830 > > [ 3188.169857] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.171089] ? lock_acquire+0x38d/0x4c0 > > [ 3188.172131] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.173367] ? lock_acquire+0x38d/0x4c0 > > [ 3188.174472] netlink_rcv_skb+0x11d/0x340 > > [ 3188.175531] ? rtnl_fdb_dump+0x830/0x830 > > [ 3188.176592] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.177824] ? netlink_ack+0x930/0x930 > > [ 3188.178848] ? netlink_deliver_tap+0x140/0xb10 > > [ 3188.180013] ? netlink_deliver_tap+0x14c/0xb10 > > [ 3188.181188] ? _copy_from_iter+0x282/0xbe0 > > [ 3188.182351] netlink_unicast+0x433/0x700 > > [ 3188.183418] ? netlink_attachskb+0x740/0x740 > > [ 3188.184552] ? __alloc_skb+0x117/0x2c0 > > [ 3188.185606] netlink_sendmsg+0x707/0xbf0 > > [ 3188.186672] ? netlink_unicast+0x700/0x700 > > [ 3188.187783] ? netlink_unicast+0x700/0x700 > > [ 3188.188882] sock_sendmsg+0xb0/0xe0 > > [ 3188.189862] ____sys_sendmsg+0x4fa/0x6d0 > > [ 3188.190971] ? iovec_from_user+0x136/0x280 > > [ 3188.192074] ? kernel_sendmsg+0x30/0x30 > > [ 3188.193130] ? __import_iovec+0x51/0x610 > > [ 3188.194225] ___sys_sendmsg+0x12e/0x1b0 > > [ 3188.195267] ? do_recvmmsg+0x500/0x500 > > [ 3188.196301] ? get_max_files+0x10/0x10 > > [ 3188.197333] ? kasan_record_aux_stack+0xab/0xc0 > > [ 3188.198558] ? call_rcu+0x87/0xd40 > > [ 3188.199519] ? task_work_run+0xc5/0x160 > > [ 3188.200557] ? exit_to_user_mode_prepare+0x1d9/0x1e0 > > [ 3188.201872] ? syscall_exit_to_user_mode+0x19/0x50 > > [ 3188.203134] ? do_syscall_64+0x4a/0x90 > > [ 3188.204152] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.205511] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.206782] ? lock_release+0x460/0x750 > > [ 3188.207870] ? mntput_no_expire+0x113/0xb40 > > [ 3188.209025] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.210272] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.211864] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.213644] ? mntput_no_expire+0x132/0xb40 > > [ 3188.215253] ? __fget_light+0x51/0x220 > > [ 3188.216535] __sys_sendmsg+0xa4/0x120 > > [ 3188.217574] ? __sys_sendmsg_sock+0x20/0x20 > > [ 3188.218707] ? call_rcu+0x543/0xd40 > > [ 3188.219679] ? syscall_enter_from_user_mode+0x1d/0x50 > > [ 3188.221004] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.235475] do_syscall_64+0x3d/0x90 > > [ 3188.236463] entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.237744] RIP: 0033:0x7f904ec94c17 > > [ 3188.238693] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 > > [ 3188.242968] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > > [ 3188.244834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17 > > [ 3188.246604] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003 > > [ 3188.248362] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40 > > [ 3188.250140] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001 > > [ 3188.251889] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520 > > [ 3188.253667] > > [ 3188.254215] The buggy address belongs to the page: > > [ 3188.255460] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3 > > [ 3188.257812] flags: 0x8000000000000000(zone=2) > > [ 3188.258985] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 > > [ 3188.260971] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > [ 3188.262993] page dumped because: kasan: bad access detected > > [ 3188.264413] > > [ 3188.264943] Memory state around the buggy address: > > [ 3188.266203] ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.268082] ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.269957] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.271818] ^ > > [ 3188.273122] ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.275000] ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.276862] ================================================================== > > [ 3188.371511] mlx5_core 0000:08:00.0 enp8s0f0: Link up > > [ 3188.376126] IPv6: ADDRCONF(NETDEV_CHANGE): enp8s0f0: link becomes ready > > [ 3188.430532] ================================================================== > > [ 3188.432378] BUG: KASAN: use-after-free in __list_del_entry_valid+0x14b/0x180 > > [ 3188.434254] Read of size 8 at addr ffff8881150b3fb8 by task ip/119619 > > [ 3188.435826] > > [ 3188.436365] CPU: 3 PID: 119619 Comm: ip Tainted: G B 5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1 > > [ 3188.439688] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > > [ 3188.442423] Call Trace: > > [ 3188.443172] dump_stack_lvl+0x57/0x7d > > [ 3188.444186] print_address_description.constprop.0+0x1f/0x140 > > [ 3188.445703] ? __list_del_entry_valid+0x14b/0x180 > > [ 3188.447004] ? __list_del_entry_valid+0x14b/0x180 > > [ 3188.448255] kasan_report.cold+0x83/0xdf > > [ 3188.449323] ? __list_del_entry_valid+0x14b/0x180 > > [ 3188.450670] __list_del_entry_valid+0x14b/0x180 > > [ 3188.451887] ? _raw_spin_unlock+0x1f/0x30 > > [ 3188.452969] __netif_napi_del.part.0+0xec/0x4a0 > > [ 3188.454453] mlx5e_close_channel+0x7d/0xd0 [mlx5_core] > > [ 3188.456988] mlx5e_close_channels+0xf9/0x200 [mlx5_core] > > [ 3188.459599] mlx5e_close_locked+0x101/0x130 [mlx5_core] > > [ 3188.462156] mlx5e_close+0xad/0x100 [mlx5_core] > > [ 3188.463961] __dev_close_many+0x18e/0x2b0 > > [ 3188.465045] ? list_netdevice+0x3a0/0x3a0 > > [ 3188.466187] ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core] > > [ 3188.468156] ? __local_bh_enable_ip+0xa2/0x100 > > [ 3188.469333] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.470496] __dev_change_flags+0x254/0x670 > > [ 3188.471605] ? dev_set_allmulti+0x10/0x10 > > [ 3188.472692] ? rtnl_fill_vfinfo+0x936/0xdb0 > > [ 3188.473854] dev_change_flags+0x8b/0x150 > > [ 3188.474965] do_setlink+0x820/0x2d60 > > [ 3188.475950] ? rtnetlink_put_metrics+0x490/0x490 > > [ 3188.477165] ? lock_release+0x460/0x750 > > [ 3188.478306] ? kvm_async_pf_task_wake+0x410/0x410 > > [ 3188.479542] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.480615] ? do_raw_spin_unlock+0x54/0x220 > > [ 3188.481790] ? memset+0x20/0x40 > > [ 3188.482963] ? __nla_validate_parse+0xb2/0x22c0 > > [ 3188.484167] ? do_raw_spin_lock+0x126/0x270 > > [ 3188.485281] ? push_cpu_stop+0x830/0x830 > > [ 3188.486457] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.487557] ? devlink_compat_switch_id_get+0xbb/0x100 > > [ 3188.488894] ? nla_get_range_signed+0x540/0x540 > > [ 3188.490168] ? memcpy+0x39/0x60 > > [ 3188.491083] ? memset+0x20/0x40 > > [ 3188.491966] ? memset+0x20/0x40 > > [ 3188.492855] __rtnl_newlink+0xac0/0x1370 > > [ 3188.493987] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.495384] ? rtnl_setlink+0x330/0x330 > > [ 3188.496446] ? deref_stack_reg+0x160/0x160 > > [ 3188.497551] ? deref_stack_reg+0xe6/0x160 > > [ 3188.498713] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.499929] ? lock_release+0x460/0x750 > > [ 3188.501232] ? is_bpf_text_address+0x54/0x110 > > [ 3188.502735] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.503831] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.505157] ? deref_stack_reg+0x160/0x160 > > [ 3188.506298] ? is_bpf_text_address+0x73/0x110 > > [ 3188.507459] ? kernel_text_address+0xda/0x100 > > [ 3188.508615] ? __kernel_text_address+0xe/0x30 > > [ 3188.509776] ? unwind_get_return_address+0x56/0xa0 > > [ 3188.511047] ? __thaw_task+0x70/0x70 > > [ 3188.512033] ? arch_stack_walk+0x98/0xf0 > > [ 3188.513059] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.514191] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.515303] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.516524] rtnl_newlink+0x5f/0x90 > > [ 3188.517513] rtnetlink_rcv_msg+0x32b/0x950 > > [ 3188.518652] ? deref_stack_reg+0x160/0x160 > > [ 3188.519761] ? rtnl_fdb_dump+0x830/0x830 > > [ 3188.520816] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.522119] ? lock_acquire+0x38d/0x4c0 > > [ 3188.523211] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.524435] ? lock_acquire+0x38d/0x4c0 > > [ 3188.525498] netlink_rcv_skb+0x11d/0x340 > > [ 3188.526649] ? rtnl_fdb_dump+0x830/0x830 > > [ 3188.527722] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.528949] ? netlink_ack+0x930/0x930 > > [ 3188.530055] ? netlink_deliver_tap+0x140/0xb10 > > [ 3188.531347] ? netlink_deliver_tap+0x14c/0xb10 > > [ 3188.532549] ? _copy_from_iter+0x282/0xbe0 > > [ 3188.533711] netlink_unicast+0x433/0x700 > > [ 3188.534845] ? netlink_attachskb+0x740/0x740 > > [ 3188.535987] ? __alloc_skb+0x117/0x2c0 > > [ 3188.537006] netlink_sendmsg+0x707/0xbf0 > > [ 3188.538150] ? netlink_unicast+0x700/0x700 > > [ 3188.539337] ? netlink_unicast+0x700/0x700 > > [ 3188.540448] sock_sendmsg+0xb0/0xe0 > > [ 3188.541424] ____sys_sendmsg+0x4fa/0x6d0 > > [ 3188.542743] ? iovec_from_user+0x136/0x280 > > [ 3188.543932] ? kernel_sendmsg+0x30/0x30 > > [ 3188.544963] ? __import_iovec+0x51/0x610 > > [ 3188.546063] ___sys_sendmsg+0x12e/0x1b0 > > [ 3188.547189] ? do_recvmmsg+0x500/0x500 > > [ 3188.548209] ? get_max_files+0x10/0x10 > > [ 3188.549226] ? kasan_record_aux_stack+0xab/0xc0 > > [ 3188.550547] ? call_rcu+0x87/0xd40 > > [ 3188.551509] ? task_work_run+0xc5/0x160 > > [ 3188.552546] ? exit_to_user_mode_prepare+0x1d9/0x1e0 > > [ 3188.553896] ? syscall_exit_to_user_mode+0x19/0x50 > > [ 3188.555195] ? do_syscall_64+0x4a/0x90 > > [ 3188.556206] ? entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.557634] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.558903] ? lock_release+0x460/0x750 > > [ 3188.559948] ? mntput_no_expire+0x113/0xb40 > > [ 3188.561059] ? lock_downgrade+0x6e0/0x6e0 > > [ 3188.562231] ? rwlock_bug.part.0+0x90/0x90 > > [ 3188.563338] ? rcu_read_lock_sched_held+0x12/0x70 > > [ 3188.564583] ? mntput_no_expire+0x132/0xb40 > > [ 3188.565731] ? __fget_light+0x51/0x220 > > [ 3188.566858] __sys_sendmsg+0xa4/0x120 > > [ 3188.567878] ? __sys_sendmsg_sock+0x20/0x20 > > [ 3188.568995] ? call_rcu+0x543/0xd40 > > [ 3188.570047] ? syscall_enter_from_user_mode+0x1d/0x50 > > [ 3188.571387] ? trace_hardirqs_on+0x32/0x120 > > [ 3188.572502] do_syscall_64+0x3d/0x90 > > [ 3188.573491] entry_SYSCALL_64_after_hwframe+0x44/0xae > > [ 3188.574916] RIP: 0033:0x7fc68ffd4c17 > > [ 3188.575900] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 > > [ 3188.580625] RSP: 002b:00007ffd26634f18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > > [ 3188.582945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc68ffd4c17 > > [ 3188.585684] RDX: 0000000000000000 RSI: 00007ffd26634f80 RDI: 0000000000000003 > > [ 3188.587965] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007fc690095a40 > > [ 3188.589788] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001 > > [ 3188.591618] R13: 00007ffd26635630 R14: 00007ffd26635c85 R15: 000000000048f520 > > [ 3188.593365] > > [ 3188.593953] The buggy address belongs to the page: > > [ 3188.595288] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3 > > [ 3188.597966] flags: 0x8000000000000000(zone=2) > > [ 3188.599643] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 > > [ 3188.601766] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > [ 3188.603786] page dumped because: kasan: bad access detected > > [ 3188.622507] > > [ 3188.623291] Memory state around the buggy address: > > [ 3188.625031] ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.627617] ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.630275] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.632956] ^ > > [ 3188.634838] ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.637544] ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 3188.640221] ================================================================== > > > >[...] > > > > [ 3188.574916] RIP: 0033:0x7fc68ffd4c17 > > [ 3188.237744] RIP: 0033:0x7f904ec94c17 > > Dmitry, what addresses are these RIPs pointing to? This report did not come from syzkaller/syzbot. We need to ask Vlad. For syzkaller/syzbot I wouldn't be able to answer such a question. But I guess it's just a code that executes the sendmsg syscall instruction in user-space. What aspect of that code are you interested in?