Re: [syzbot] [rdma?] WARNING in rxe_skb_tx_dtor

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+8425ccfb599521edb153@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	 yanjun.zhu@linux.dev
Subject: Re: [syzbot] [rdma?] WARNING in rxe_skb_tx_dtor
Date: Fri, 27 Jun 2025 11:43:03 -0700	[thread overview]
Message-ID: <685ee637.a00a0220.3efde.0000.GAE@google.com> (raw)
In-Reply-To: <f63acb1b-083f-4a48-8352-d07d48827330@linux.dev>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: wild-memory-access Read in __rxe_get

==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in refcount_read include/linux/refcount.h:170 [inline]
BUG: KASAN: wild-memory-access in __refcount_add_not_zero include/linux/refcount.h:176 [inline]
BUG: KASAN: wild-memory-access in __refcount_inc_not_zero include/linux/refcount.h:317 [inline]
BUG: KASAN: wild-memory-access in refcount_inc_not_zero include/linux/refcount.h:335 [inline]
BUG: KASAN: wild-memory-access in kref_get_unless_zero include/linux/kref.h:131 [inline]
BUG: KASAN: wild-memory-access in __rxe_get+0x79/0x1c0 drivers/infiniband/sw/rxe/rxe_pool.c:241
Read of size 4 at addr 0006000000000210 by task kworker/u4:6/1038

CPU: 0 UID: 0 PID: 1038 Comm: kworker/u4:6 Not tainted 6.16.0-rc3-syzkaller-gfa5598b27d21 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: rxe_wq do_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 refcount_read include/linux/refcount.h:170 [inline]
 __refcount_add_not_zero include/linux/refcount.h:176 [inline]
 __refcount_inc_not_zero include/linux/refcount.h:317 [inline]
 refcount_inc_not_zero include/linux/refcount.h:335 [inline]
 kref_get_unless_zero include/linux/kref.h:131 [inline]
 __rxe_get+0x79/0x1c0 drivers/infiniband/sw/rxe/rxe_pool.c:241
 rxe_skb_tx_dtor+0x79/0x1e0 drivers/infiniband/sw/rxe/rxe_net.c:363
 skb_release_head_state+0xfe/0x250 net/core/skbuff.c:1139
 napi_consume_skb+0xd2/0x1e0 net/core/skbuff.c:-1
 e1000_unmap_and_free_tx_resource drivers/net/ethernet/intel/e1000/e1000_main.c:1972 [inline]
 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3864 [inline]
 e1000_clean+0x49d/0x2b00 drivers/net/ethernet/intel/e1000/e1000_main.c:3805
 __napi_poll+0xc4/0x480 net/core/dev.c:7414
 napi_poll net/core/dev.c:7478 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7605
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
 __dev_queue_xmit+0x1cd7/0x3a70 net/core/dev.c:4740
 neigh_output include/net/neighbour.h:539 [inline]
 ip6_finish_output2+0x11fe/0x16a0 net/ipv6/ip6_output.c:141
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:226
 rxe_send drivers/infiniband/sw/rxe/rxe_net.c:385 [inline]
 rxe_xmit_packet+0x79e/0xa30 drivers/infiniband/sw/rxe/rxe_net.c:444
 rxe_requester+0x1fea/0x3d20 drivers/infiniband/sw/rxe/rxe_req.c:805
 rxe_sender+0x16/0x50 drivers/infiniband/sw/rxe/rxe_req.c:839
 do_task drivers/infiniband/sw/rxe/rxe_task.c:127 [inline]
 do_work+0x1b1/0x6c0 drivers/infiniband/sw/rxe/rxe_task.c:187
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
==================================================================


Tested on:

commit:         fa5598b2 RDNA/rxe: Fix rxe_skb_tx_dtor problem
git tree:       https://github.com/zhuyj/linux.git v6.16_fix_rxe_skb_tx_dtor
console output: https://syzkaller.appspot.com/x/log.txt?x=16b943d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=79da270cec5ffd65
dashboard link: https://syzkaller.appspot.com/bug?extid=8425ccfb599521edb153
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

Note: no patches were applied.

next      parent reply	other threads:[~2025-06-27 18:43 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <f63acb1b-083f-4a48-8352-d07d48827330@linux.dev>
2025-06-27 18:43 ` syzbot [this message]
2025-06-27 19:35   ` [syzbot] [rdma?] WARNING in rxe_skb_tx_dtor Yanjun.Zhu
2025-06-27 19:50     ` syzbot
2025-06-27 20:26       ` Yanjun.Zhu
2025-06-27 20:46         ` syzbot
2025-06-27 23:10           ` Yanjun.Zhu
2025-06-27 23:32             ` syzbot
2025-06-27 23:42               ` Yanjun.Zhu
2025-07-03  0:36                 ` Yanjun.Zhu
2025-07-03  0:58                   ` syzbot
2025-07-06 21:04                     ` Zhu Yanjun
2025-05-01 16:45 syzbot
2025-05-02  9:54 ` Zhu Yanjun
2025-05-13 14:57   ` Zhu Yanjun
2025-06-26 20:55 ` syzbot
2025-06-26 22:22   ` Yanjun.Zhu
2025-06-26 22:25     ` syzbot
2025-06-26 22:38       ` Yanjun.Zhu
2025-06-26 22:54         ` syzbot
2025-06-27  2:49         ` Zhu Yanjun
2025-06-27  3:11           ` syzbot
2025-06-27  3:41             ` Zhu Yanjun
2025-06-27  3:57               ` syzbot
2025-06-27  4:53                 ` Zhu Yanjun
2025-06-27  5:09                   ` syzbot
2025-06-26 22:52   ` Hillf Danton
2025-06-26 23:09     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=685ee637.a00a0220.3efde.0000.GAE@google.com \
    --to=syzbot+8425ccfb599521edb153@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yanjun.zhu@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.