From: syzbot <syzbot+e56606435b7bfeea8cf5 at syzkaller.appspotmail.com>
To: mptcp at lists.01.org
Subject: [MPTCP] WARNING: bad unlock balance in mptcp_poll
Date: Sat, 11 Apr 2020 09:51:14 -0700 [thread overview]
Message-ID: <000000000000758fcf05a306a8bf@google.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4013 bytes --]
Hello,
syzbot found the following crash on:
HEAD commit: ae46d2aa mm/gup: Let __get_user_pages_locked() return -EIN..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14fef69fe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca75979eeebf06c2
dashboard link: https://syzkaller.appspot.com/bug?extid=e56606435b7bfeea8cf5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111ccd2be00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162b0a77e00000
The bug was bisected to:
commit 59832e246515ab6a4f5aa878073e6f415aa35166
Author: Florian Westphal <fw(a)strlen.de>
Date: Thu Apr 2 11:44:52 2020 +0000
mptcp: subflow: check parent mptcp socket on subflow state change
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14c1f69fe00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=16c1f69fe00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12c1f69fe00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e56606435b7bfeea8cf5(a)syzkaller.appspotmail.com
Fixes: 59832e246515 ("mptcp: subflow: check parent mptcp socket on subflow state change")
=====================================
WARNING: bad unlock balance detected!
5.6.0-syzkaller #0 Not tainted
-------------------------------------
syz-executor473/7733 is trying to release lock (sk_lock-AF_INET6) at:
[<ffffffff87c51839>] mptcp_poll+0xb9/0x530 net/mptcp/protocol.c:1856
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz-executor473/7733:
#0: ffff88808fe2f0a0 (slock-AF_INET6){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:358 [inline]
#0: ffff88808fe2f0a0 (slock-AF_INET6){+...}-{2:2}, at: release_sock+0x1b/0x1b0 net/core/sock.c:2974
stack backtrace:
CPU: 0 PID: 7733 Comm: syz-executor473 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
__lock_release kernel/locking/lockdep.c:4633 [inline]
lock_release+0x586/0x800 kernel/locking/lockdep.c:4941
sock_release_ownership include/net/sock.h:1539 [inline]
release_sock+0x177/0x1b0 net/core/sock.c:2984
mptcp_poll+0xb9/0x530 net/mptcp/protocol.c:1856
sock_poll+0x15c/0x470 net/socket.c:1271
vfs_poll include/linux/poll.h:90 [inline]
do_pollfd fs/select.c:859 [inline]
do_poll fs/select.c:907 [inline]
do_sys_poll+0x63c/0xdd0 fs/select.c:1001
__do_sys_ppoll fs/select.c:1101 [inline]
__se_sys_ppoll fs/select.c:1081 [inline]
__x64_sys_ppoll+0x210/0x280 fs/select.c:1081
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441219
Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff9deb18e8 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441219
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020000080
RBP: 000000000000f233 R08: 3f00000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402040
R13: 00000000004020d0 R14: 0000000000000000 R15: 0000000000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+e56606435b7bfeea8cf5@syzkaller.appspotmail.com>
To: davem@davemloft.net, fw@strlen.de, kuba@kernel.org,
linux-kernel@vger.kernel.org, mathew.j.martineau@linux.intel.com,
matthieu.baerts@tessares.net, mptcp@lists.01.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com
Subject: WARNING: bad unlock balance in mptcp_poll
Date: Sat, 11 Apr 2020 09:51:14 -0700 [thread overview]
Message-ID: <000000000000758fcf05a306a8bf@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: ae46d2aa mm/gup: Let __get_user_pages_locked() return -EIN..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14fef69fe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca75979eeebf06c2
dashboard link: https://syzkaller.appspot.com/bug?extid=e56606435b7bfeea8cf5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111ccd2be00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162b0a77e00000
The bug was bisected to:
commit 59832e246515ab6a4f5aa878073e6f415aa35166
Author: Florian Westphal <fw@strlen.de>
Date: Thu Apr 2 11:44:52 2020 +0000
mptcp: subflow: check parent mptcp socket on subflow state change
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14c1f69fe00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=16c1f69fe00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12c1f69fe00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e56606435b7bfeea8cf5@syzkaller.appspotmail.com
Fixes: 59832e246515 ("mptcp: subflow: check parent mptcp socket on subflow state change")
=====================================
WARNING: bad unlock balance detected!
5.6.0-syzkaller #0 Not tainted
-------------------------------------
syz-executor473/7733 is trying to release lock (sk_lock-AF_INET6) at:
[<ffffffff87c51839>] mptcp_poll+0xb9/0x530 net/mptcp/protocol.c:1856
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz-executor473/7733:
#0: ffff88808fe2f0a0 (slock-AF_INET6){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:358 [inline]
#0: ffff88808fe2f0a0 (slock-AF_INET6){+...}-{2:2}, at: release_sock+0x1b/0x1b0 net/core/sock.c:2974
stack backtrace:
CPU: 0 PID: 7733 Comm: syz-executor473 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
__lock_release kernel/locking/lockdep.c:4633 [inline]
lock_release+0x586/0x800 kernel/locking/lockdep.c:4941
sock_release_ownership include/net/sock.h:1539 [inline]
release_sock+0x177/0x1b0 net/core/sock.c:2984
mptcp_poll+0xb9/0x530 net/mptcp/protocol.c:1856
sock_poll+0x15c/0x470 net/socket.c:1271
vfs_poll include/linux/poll.h:90 [inline]
do_pollfd fs/select.c:859 [inline]
do_poll fs/select.c:907 [inline]
do_sys_poll+0x63c/0xdd0 fs/select.c:1001
__do_sys_ppoll fs/select.c:1101 [inline]
__se_sys_ppoll fs/select.c:1081 [inline]
__x64_sys_ppoll+0x210/0x280 fs/select.c:1081
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441219
Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff9deb18e8 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441219
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020000080
RBP: 000000000000f233 R08: 3f00000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402040
R13: 00000000004020d0 R14: 0000000000000000 R15: 0000000000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2020-04-11 16:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-11 16:51 syzbot [this message]
2020-04-11 16:51 ` WARNING: bad unlock balance in mptcp_poll syzbot
-- strict thread matches above, loose matches on Subject: below --
2020-04-11 19:05 [MPTCP] [PATCH net] mptcp: fix double-unlock " Florian Westphal
2020-04-11 19:05 ` Florian Westphal
2020-04-13 4:05 [MPTCP] " David Miller
2020-04-13 4:05 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000758fcf05a306a8bf@google.com \
--to=unknown@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.