From: syzbot ci <syzbot+ci77a5caa9fce14315@syzkaller.appspotmail.com>
To: abhishektamboli9@gmail.com, andrew@lunn.ch,
ayush.sawal@chelsio.com, coreteam@netfilter.org,
davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
fw@strlen.de, gregkh@linuxfoundation.org,
herbert@gondor.apana.org.au, horms@kernel.org,
kadlec@netfilter.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev,
mhal@rbox.co, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, pabeni@redhat.com,
pablo@netfilter.org, sdf@fomichev.me,
steffen.klassert@secunet.com
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: net: Convert to skb_dstref_steal and skb_dstref_restore
Date: Tue, 19 Aug 2025 08:41:36 -0700 [thread overview]
Message-ID: <68a49b30.050a0220.e29e5.00c8.GAE@google.com> (raw)
In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me>
syzbot ci has tested the following series
[v2] net: Convert to skb_dstref_steal and skb_dstref_restore
https://lore.kernel.org/all/20250818154032.3173645-1-sdf@fomichev.me
* [PATCH net-next v2 1/7] net: Add skb_dstref_steal and skb_dstref_restore
* [PATCH net-next v2 2/7] xfrm: Switch to skb_dstref_steal to clear dst_entry
* [PATCH net-next v2 3/7] netfilter: Switch to skb_dstref_steal to clear dst_entry
* [PATCH net-next v2 4/7] net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers
* [PATCH net-next v2 5/7] staging: octeon: Convert to skb_dst_drop
* [PATCH net-next v2 6/7] chtls: Convert to skb_dst_reset
* [PATCH net-next v2 7/7] net: Add skb_dst_check_unset
and found the following issue:
WARNING in nf_reject_fill_skb_dst
Full report is available here:
https://ci.syzbot.org/series/74fec874-bca1-42a5-bb58-f3f49b95e348
***
WARNING in nf_reject_fill_skb_dst
tree: net-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base: 8159572936392b514e404bab2d60e47cebd5acfe
arch: amd64
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
config: https://ci.syzbot.org/builds/10161afb-c9c1-4272-851c-1ded15995879/config
C repro: https://ci.syzbot.org/findings/7f681f6a-9952-49a0-8533-0bc185291f81/c_repro
syz repro: https://ci.syzbot.org/findings/7f681f6a-9952-49a0-8533-0bc185291f81/syz_repro
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5862 at ./include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: CPU: 1 PID: 5862 at ./include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1211 [inline]
WARNING: CPU: 1 PID: 5862 at ./include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
Modules linked in:
CPU: 1 UID: 0 PID: 5862 Comm: kworker/u8:2 Not tainted 6.17.0-rc1-syzkaller-00207-g815957293639-dirty #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
RIP: 0010:skb_dst_set include/linux/skbuff.h:1211 [inline]
RIP: 0010:nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
Code: 8b 0d 60 75 8b 08 48 3b 8c 24 e0 00 00 00 75 5d 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d e9 03 91 67 01 cc e8 ad d0 aa f7 90 <0f> 0b 90 e9 38 ff ff ff 44 89 f9 80 e1 07 fe c1 38 c1 0f 8c 2b fe
RSP: 0018:ffffc900001e0360 EFLAGS: 00010246
RAX: ffffffff8a14dae3 RBX: ffff88810f943b00 RCX: ffff888109618000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900001e0490 R08: ffffffff8fa37e37 R09: 1ffffffff1f46fc6
R10: dffffc0000000000 R11: fffffbfff1f46fc7 R12: ffff88810ec56101
R13: dffffc0000000001 R14: 1ffff9200003c070 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881a3c1b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002f6a520 CR3: 0000000027716000 CR4: 00000000000006f0
Call Trace:
<IRQ>
nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
nft_do_chain+0x40c/0x1920 net/netfilter/nf_tables_core.c:285
nft_do_chain_inet+0x25d/0x340 net/netfilter/nft_chain_filter.c:161
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
nf_hook include/linux/netfilter.h:273 [inline]
NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:316
__netif_receive_skb_one_core net/core/dev.c:5979 [inline]
__netif_receive_skb+0x143/0x380 net/core/dev.c:6092
process_backlog+0x60e/0x14f0 net/core/dev.c:6444
__napi_poll+0xc7/0x360 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0x707/0xe30 net/core/dev.c:7684
handle_softirqs+0x286/0x870 kernel/softirq.c:579
do_softirq+0xec/0x180 kernel/softirq.c:480
</IRQ>
<TASK>
__local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
__dev_queue_xmit+0x1d79/0x3b50 net/core/dev.c:4740
neigh_output include/net/neighbour.h:547 [inline]
ip6_finish_output2+0x11fe/0x16a0 net/ipv6/ip6_output.c:141
NF_HOOK include/linux/netfilter.h:318 [inline]
ndisc_send_skb+0xb96/0x1470 net/ipv6/ndisc.c:512
ndisc_send_ns+0xcb/0x150 net/ipv6/ndisc.c:670
addrconf_dad_work+0xaae/0x14b0 net/ipv6/addrconf.c:4282
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
next prev parent reply other threads:[~2025-08-19 15:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-18 15:40 [PATCH net-next v2 0/7] net: Convert to skb_dstref_steal and skb_dstref_restore Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 1/7] net: Add " Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 2/7] xfrm: Switch to skb_dstref_steal to clear dst_entry Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 3/7] netfilter: " Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 4/7] net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 5/7] staging: octeon: Convert to skb_dst_drop Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 6/7] chtls: Convert to skb_dst_reset Stanislav Fomichev
2025-08-18 15:40 ` [PATCH net-next v2 7/7] net: Add skb_dst_check_unset Stanislav Fomichev
2025-08-19 15:41 ` syzbot ci [this message]
2025-08-20 0:58 ` [syzbot ci] Re: net: Convert to skb_dstref_steal and skb_dstref_restore Jakub Kicinski
2025-08-20 10:45 ` Aleksandr Nogikh
2025-08-20 15:08 ` Jakub Kicinski
2025-08-20 3:11 ` [PATCH net-next v2 0/7] " patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68a49b30.050a0220.e29e5.00c8.GAE@google.com \
--to=syzbot+ci77a5caa9fce14315@syzkaller.appspotmail.com \
--cc=abhishektamboli9@gmail.com \
--cc=andrew@lunn.ch \
--cc=ayush.sawal@chelsio.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=sdf@fomichev.me \
--cc=steffen.klassert@secunet.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.