* [syzbot] [net?] WARNING in cleanup_net (3)
@ 2023-11-30 8:30 syzbot
2024-04-05 3:00 ` syzbot
0 siblings, 1 reply; 14+ messages in thread
From: syzbot @ 2023-11-30 8:30 UTC (permalink / raw)
To: davem, edumazet, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: d90b0276af8f Merge tag 'hardening-v6.6-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c4675c680000
kernel config: https://syzkaller.appspot.com/x/.config?x=d594086f139d167
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d90b0276.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6997ebf3cf3/vmlinux-d90b0276.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d893c5c3f98f/bzImage-d90b0276.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ada62e1dc03fdc41982@syzkaller.appspotmail.com
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1093 at lib/ref_tracker.c:179 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
WARNING: CPU: 1 PID: 1093 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x3e2/0x680 lib/ref_tracker.c:178
Modules linked in:
CPU: 1 PID: 1093 Comm: kworker/u16:7 Not tainted 6.6.0-rc2-syzkaller-00337-gd90b0276af8f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x3e2/0x680 lib/ref_tracker.c:179
Code: 85 07 02 00 00 4d 39 f5 49 8b 06 4d 89 f7 0f 85 0e ff ff ff 48 8b 2c 24 e8 4b 7b 32 fd 48 8b 74 24 18 48 89 ef e8 ce d8 ec 05 <0f> 0b e8 37 7b 32 fd 48 8d 5d 44 be 04 00 00 00 48 89 df e8 b6 34
RSP: 0018:ffffc90006ee7b78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8a8cab20 RDI: 0000000000000001
RBP: ffff8880591981e0 R08: 0000000000000001 R09: fffffbfff233dff7
R10: ffffffff919effbf R11: 0000000000000114 R12: ffff888059198230
R13: ffff888059198230 R14: ffff888059198230 R15: ffff888059198230
FS: 0000000000000000(0000) GS:ffff88802c700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000057ab404c CR3: 0000000070f05000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 00000000ffff00f1 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
net_free net/core/net_namespace.c:448 [inline]
net_free net/core/net_namespace.c:442 [inline]
cleanup_net+0x8d4/0xb20 net/core/net_namespace.c:635
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2023-11-30 8:30 [syzbot] [net?] WARNING in cleanup_net (3) syzbot
@ 2024-04-05 3:00 ` syzbot
2024-04-05 6:37 ` Hillf Danton
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: syzbot @ 2024-04-05 3:00 UTC (permalink / raw)
To: davem, edumazet, hdanton, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs, xrivendell7
syzbot has found a reproducer for the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11fdccc5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ada62e1dc03fdc41982@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5236 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Modules linked in:
CPU: 1 PID: 5236 Comm: kworker/u8:6 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 88 e7 9f 06 eb 1a e8 71 d2 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 70 e7 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 db 23 19 fd 48 89
RSP: 0018:ffffc9000905f9e0 EFLAGS: 00010246
RAX: 717a74f119e84f00 RBX: ffff888021ec9e98 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
RBP: ffffc9000905fab0 R08: ffffffff92ce55ff R09: 1ffffffff259cabf
R10: dffffc0000000000 R11: fffffbfff259cac0 R12: 1ffff1100df19ef8
R13: dead000000000100 R14: ffff888021ec9ee8 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c604d35c0 CR3: 0000000029078000 CR4: 0000000000350ef0
Call Trace:
<TASK>
net_free net/core/net_namespace.c:462 [inline]
cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f2/0x390 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-05 3:00 ` syzbot
@ 2024-04-05 6:37 ` Hillf Danton
2024-04-06 15:20 ` syzbot
2024-04-05 21:22 ` Eric Dumazet
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: Hillf Danton @ 2024-04-05 6:37 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,7 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
- get_net(net);
+ refcount_inc(&net->passive);
netns_tracker_alloc(net, tracker, gfp);
return net;
}
@@ -361,7 +361,7 @@ static inline struct net *get_net_track(
static inline void put_net_track(struct net *net, netns_tracker *tracker)
{
__netns_tracker_free(net, tracker, true);
- put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-05 6:37 ` Hillf Danton
@ 2024-04-06 15:20 ` syzbot
0 siblings, 0 replies; 14+ messages in thread
From: syzbot @ 2024-04-06 15:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
74.666060][ T5073] team0: Port device team_slave_1 added
[ 74.696681][ T5073] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 74.703624][ T5073] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 74.729664][ T5073] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 74.742982][ T5073] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 74.750067][ T5073] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 74.776113][ T5073] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 74.826626][ T5073] hsr_slave_0: entered promiscuous mode
[ 74.833774][ T5073] hsr_slave_1: entered promiscuous mode
[ 74.986810][ T5073] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 74.998682][ T5073] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 75.010024][ T5073] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 75.020591][ T5073] netdevsim netdevsim0 netdevsim3: renamed from eth3
executing program
[ 75.057449][ T5073] bridge0: port 2(bridge_slave_1) entered blocking state
[ 75.064909][ T5073] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 75.072881][ T5073] bridge0: port 1(bridge_slave_0) entered blocking state
[ 75.080104][ T5073] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 75.156591][ T5073] 8021q: adding VLAN 0 to HW filter on device bond0
[ 75.178956][ T8] bridge0: port 1(bridge_slave_0) entered disabled state
[ 75.188008][ T8] bridge0: port 2(bridge_slave_1) entered disabled state
[ 75.206302][ T5073] 8021q: adding VLAN 0 to HW filter on device team0
[ 75.220345][ T49] bridge0: port 1(bridge_slave_0) entered blocking state
[ 75.227507][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 75.246459][ T7] bridge0: port 2(bridge_slave_1) entered blocking state
[ 75.253719][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 75.441809][ T5073] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 75.493643][ T5073] veth0_vlan: entered promiscuous mode
[ 75.511542][ T5073] veth1_vlan: entered promiscuous mode
[ 75.548734][ T5073] veth0_macvtap: entered promiscuous mode
[ 75.558643][ T5073] veth1_macvtap: entered promiscuous mode
[ 75.580898][ T5073] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 75.597516][ T5073] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 75.612147][ T5073] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.622705][ T5073] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.633004][ T5073] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.642196][ T5073] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.720798][ T1089] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.729210][ T1089] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 75.761384][ T1028] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.770152][ T1028] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2024/04/06 15:18:47 building call list...
[ 75.905861][ T5073] ref_tracker: net refcnt@ffff8880222c0148 has 1/1 users at
[ 75.905861][ T5073] sk_alloc+0x1af/0x350
[ 75.905861][ T5073] tun_chr_open+0x7a/0x510
[ 75.905861][ T5073] misc_open+0x315/0x390
[ 75.905861][ T5073] chrdev_open+0x5b2/0x630
[ 75.905861][ T5073] do_dentry_open+0x909/0x15a0
[ 75.905861][ T5073] path_openat+0x2860/0x3240
[ 75.905861][ T5073] do_filp_open+0x235/0x490
[ 75.905861][ T5073] do_sys_openat2+0x13e/0x1d0
[ 75.905861][ T5073] __x64_sys_openat+0x247/0x2a0
[ 75.905861][ T5073] do_syscall_64+0xfd/0x240
[ 75.905861][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 75.905861][ T5073]
[ 75.979496][ T5073] ------------[ cut here ]------------
[ 75.985963][ T5073] WARNING: CPU: 0 PID: 5073 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550
[ 75.995634][ T5073] Modules linked in:
[ 75.999559][ T5073] CPU: 0 PID: 5073 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 76.010206][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 76.020324][ T5073] RIP: 0010:ref_tracker_dir_exit+0x411/0x550
[ 76.026442][ T5073] Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 48 e8 9f 06 eb 1a e8 31 d3 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 30 e8 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 9b 24 19 fd 48 89
[ 76.046525][ T5073] RSP: 0018:ffffc900044a79a0 EFLAGS: 00010246
[ 76.052621][ T5073] RAX: 07ca3c5e6899b200 RBX: ffff8880222c0148 RCX: 0000000000000001
[ 76.061276][ T5073] RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
[ 76.069472][ T5073] RBP: ffffc900044a7a70 R08: ffffffff8f873a6f R09: 1ffffffff1f0e74d
[ 76.077665][ T5073] R10: dffffc0000000000 R11: fffffbfff1f0e74e R12: 1ffff110049d72f8
[ 76.085764][ T5073] R13: dead000000000100 R14: ffff8880222c0198 R15: dffffc0000000000
[ 76.093785][ T5073] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 76.102832][ T5073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 76.109499][ T5073] CR2: 00007ffe64587f58 CR3: 000000002af48000 CR4: 0000000000350ef0
[ 76.117552][ T5073] Call Trace:
[ 76.120893][ T5073] <TASK>
[ 76.123846][ T5073] ? __warn+0x163/0x4b0
[ 76.128285][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.133708][ T5073] ? report_bug+0x2b3/0x500
[ 76.138632][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.144061][ T5073] ? handle_bug+0x3e/0x70
[ 76.148725][ T5073] ? exc_invalid_op+0x1a/0x50
[ 76.153433][ T5073] ? asm_exc_invalid_op+0x1a/0x20
[ 76.158555][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.163983][ T5073] ? __pfx_ref_tracker_dir_exit+0x10/0x10
[ 76.169829][ T5073] ? free_nsproxy+0x28f/0x3b0
[ 76.174590][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.179476][ T5073] ? kfree+0x14a/0x380
[ 76.183575][ T5073] __put_net+0x19/0x60
[ 76.187755][ T5073] free_nsproxy+0x30a/0x3b0
[ 76.192315][ T5073] do_exit+0xa16/0x27e0
[ 76.196611][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.201489][ T5073] ? __pfx_do_exit+0x10/0x10
[ 76.206461][ T5073] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.211883][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.216829][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.222856][ T5073] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 76.229291][ T5073] ? _raw_spin_lock_irq+0xdf/0x120
[ 76.234528][ T5073] do_group_exit+0x207/0x2c0
[ 76.239390][ T5073] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.244928][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.249814][ T5073] ? lockdep_hardirqs_on+0x99/0x150
[ 76.255099][ T5073] get_signal+0x176e/0x1850
[ 76.259655][ T5073] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.266119][ T5073] ? __pfx_get_signal+0x10/0x10
[ 76.271013][ T5073] ? debug_check_no_obj_freed+0x561/0x580
[ 76.277008][ T5073] arch_do_signal_or_restart+0x96/0x860
[ 76.282599][ T5073] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 76.289844][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.294843][ T4465] Bluetooth: hci0: command tx timeout
[ 76.295900][ T5073] ? syscall_exit_to_user_mode+0xa3/0x360
[ 76.307083][ T5073] syscall_exit_to_user_mode+0xc9/0x360
[ 76.312673][ T5073] do_syscall_64+0x10a/0x240
[ 76.317377][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 76.323305][ T5073] RIP: 0033:0x7faaf287cd5a
[ 76.327851][ T5073] Code: Unable to access opcode bytes at 0x7faaf287cd30.
[ 76.334934][ T5073] RSP: 002b:00007ffe645897e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 76.343712][ T5073] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007faaf287cd5a
[ 76.351985][ T5073] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 76.360059][ T5073] RBP: 00007ffe6458985c R08: 0000000000000000 R09: 00007ffe64589547
[ 76.368276][ T5073] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
[ 76.376330][ T5073] R13: 000000000001282f R14: 000000000001281f R15: 0000000000000003
[ 76.384447][ T5073] </TASK>
[ 76.387492][ T5073] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 76.394807][ T5073] CPU: 0 PID: 5073 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 76.405345][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 76.415414][ T5073] Call Trace:
[ 76.418704][ T5073] <TASK>
[ 76.421647][ T5073] dump_stack_lvl+0x241/0x360
[ 76.426366][ T5073] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.431623][ T5073] ? __pfx__printk+0x10/0x10
[ 76.436256][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.441133][ T5073] ? vscnprintf+0x5d/0x90
[ 76.445501][ T5073] panic+0x349/0x860
[ 76.449437][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.454321][ T5073] ? __warn+0x172/0x4b0
[ 76.458513][ T5073] ? __pfx_panic+0x10/0x10
[ 76.463004][ T5073] __warn+0x31e/0x4b0
[ 76.467040][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.472466][ T5073] report_bug+0x2b3/0x500
[ 76.476832][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.482254][ T5073] handle_bug+0x3e/0x70
[ 76.486444][ T5073] exc_invalid_op+0x1a/0x50
[ 76.491411][ T5073] asm_exc_invalid_op+0x1a/0x20
[ 76.496283][ T5073] RIP: 0010:ref_tracker_dir_exit+0x411/0x550
[ 76.502653][ T5073] Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 48 e8 9f 06 eb 1a e8 31 d3 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 30 e8 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 9b 24 19 fd 48 89
[ 76.522277][ T5073] RSP: 0018:ffffc900044a79a0 EFLAGS: 00010246
[ 76.528381][ T5073] RAX: 07ca3c5e6899b200 RBX: ffff8880222c0148 RCX: 0000000000000001
[ 76.536367][ T5073] RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
[ 76.544448][ T5073] RBP: ffffc900044a7a70 R08: ffffffff8f873a6f R09: 1ffffffff1f0e74d
[ 76.552431][ T5073] R10: dffffc0000000000 R11: fffffbfff1f0e74e R12: 1ffff110049d72f8
[ 76.560413][ T5073] R13: dead000000000100 R14: ffff8880222c0198 R15: dffffc0000000000
[ 76.568441][ T5073] ? __pfx_ref_tracker_dir_exit+0x10/0x10
[ 76.574191][ T5073] ? free_nsproxy+0x28f/0x3b0
[ 76.578889][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.583751][ T5073] ? kfree+0x14a/0x380
[ 76.588098][ T5073] __put_net+0x19/0x60
[ 76.592182][ T5073] free_nsproxy+0x30a/0x3b0
[ 76.596712][ T5073] do_exit+0xa16/0x27e0
[ 76.600909][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.605863][ T5073] ? __pfx_do_exit+0x10/0x10
[ 76.610470][ T5073] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.615867][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.620727][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.626722][ T5073] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 76.633061][ T5073] ? _raw_spin_lock_irq+0xdf/0x120
[ 76.638194][ T5073] do_group_exit+0x207/0x2c0
[ 76.642805][ T5073] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.648021][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.652912][ T5073] ? lockdep_hardirqs_on+0x99/0x150
[ 76.658135][ T5073] get_signal+0x176e/0x1850
[ 76.662661][ T5073] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.669017][ T5073] ? __pfx_get_signal+0x10/0x10
[ 76.673885][ T5073] ? debug_check_no_obj_freed+0x561/0x580
[ 76.679630][ T5073] arch_do_signal_or_restart+0x96/0x860
[ 76.685205][ T5073] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 76.691376][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.697377][ T5073] ? syscall_exit_to_user_mode+0xa3/0x360
[ 76.703118][ T5073] syscall_exit_to_user_mode+0xc9/0x360
[ 76.708688][ T5073] do_syscall_64+0x10a/0x240
[ 76.713304][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 76.719212][ T5073] RIP: 0033:0x7faaf287cd5a
[ 76.723630][ T5073] Code: Unable to access opcode bytes at 0x7faaf287cd30.
[ 76.730651][ T5073] RSP: 002b:00007ffe645897e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 76.739077][ T5073] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007faaf287cd5a
[ 76.747051][ T5073] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 76.755026][ T5073] RBP: 00007ffe6458985c R08: 0000000000000000 R09: 00007ffe64589547
[ 76.763004][ T5073] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
[ 76.770980][ T5073] R13: 000000000001282f R14: 000000000001281f R15: 0000000000000003
[ 76.778969][ T5073] </TASK>
[ 76.782215][ T5073] Kernel Offset: disabled
[ 76.786567][ T5073] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4023541434=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0ee3535ea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0ee3535ea8ff21d50e44372bb1cfd147e299ab5b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1440efc5180000
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15954d8d180000
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-05 3:00 ` syzbot
2024-04-05 6:37 ` Hillf Danton
@ 2024-04-05 21:22 ` Eric Dumazet
2024-04-06 22:48 ` Hillf Danton
2024-04-07 10:33 ` Hillf Danton
3 siblings, 0 replies; 14+ messages in thread
From: Eric Dumazet @ 2024-04-05 21:22 UTC (permalink / raw)
To: syzbot
Cc: davem, hdanton, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs, xrivendell7
On Fri, Apr 5, 2024 at 5:00 AM syzbot
<syzbot+9ada62e1dc03fdc41982@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11fdccc5180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ada62e1dc03fdc41982@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 5236 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
> Modules linked in:
> CPU: 1 PID: 5236 Comm: kworker/u8:6 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> Workqueue: netns cleanup_net
> RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
> Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 88 e7 9f 06 eb 1a e8 71 d2 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 70 e7 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 db 23 19 fd 48 89
> RSP: 0018:ffffc9000905f9e0 EFLAGS: 00010246
> RAX: 717a74f119e84f00 RBX: ffff888021ec9e98 RCX: 0000000000000001
> RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
> RBP: ffffc9000905fab0 R08: ffffffff92ce55ff R09: 1ffffffff259cabf
> R10: dffffc0000000000 R11: fffffbfff259cac0 R12: 1ffff1100df19ef8
> R13: dead000000000100 R14: ffff888021ec9ee8 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f5c604d35c0 CR3: 0000000029078000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> net_free net/core/net_namespace.c:462 [inline]
> cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
> process_one_work kernel/workqueue.c:3254 [inline]
> process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
> worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
> kthread+0x2f2/0x390 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
> </TASK>
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
#syz fix: rds: tcp: Fix use-after-free of net in reqsk_timer_handler().
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-05 3:00 ` syzbot
2024-04-05 6:37 ` Hillf Danton
2024-04-05 21:22 ` Eric Dumazet
@ 2024-04-06 22:48 ` Hillf Danton
2024-04-07 3:20 ` syzbot
2024-04-07 10:33 ` Hillf Danton
3 siblings, 1 reply; 14+ messages in thread
From: Hillf Danton @ 2024-04-06 22:48 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,6 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
+ refcount_inc(&net->passive);
get_net(net);
netns_tracker_alloc(net, tracker, gfp);
return net;
@@ -362,6 +363,7 @@ static inline void put_net_track(struct
{
__netns_tracker_free(net, tracker, true);
put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-06 22:48 ` Hillf Danton
@ 2024-04-07 3:20 ` syzbot
0 siblings, 0 replies; 14+ messages in thread
From: syzbot @ 2024-04-07 3:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
are+0x38/0x40
[ 77.597915][ T5085] do_syscall_64+0xfd/0x240
[ 77.597915][ T5085] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 77.597915][ T5085]
[ 77.673058][ T5085] ref_tracker: net notrefcnt@ffff8880226f01d8 skipped reports about 9/30 users.
[ 77.701239][ T61] ==================================================================
[ 77.709356][ T61] BUG: KASAN: slab-use-after-free in net_generic+0x137/0x240
[ 77.716805][ T61] Read of size 8 at addr ffff88802a43e828 by task kworker/u8:4/61
[ 77.724631][ T61]
[ 77.726967][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 77.737146][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 77.747221][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 77.753246][ T61] Call Trace:
[ 77.756539][ T61] <TASK>
[ 77.759487][ T61] dump_stack_lvl+0x241/0x360
[ 77.764202][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 77.769440][ T61] ? __pfx__printk+0x10/0x10
[ 77.774072][ T61] ? _printk+0xd5/0x120
[ 77.778297][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.783446][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.788325][ T61] print_report+0x169/0x550
[ 77.792863][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.798012][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.802893][ T61] ? __virt_addr_valid+0x44e/0x520
[ 77.808045][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.812923][ T61] ? __phys_addr+0xba/0x170
[ 77.817639][ T61] ? net_generic+0x137/0x240
[ 77.822251][ T61] kasan_report+0x143/0x180
[ 77.826801][ T61] ? net_generic+0x137/0x240
[ 77.831422][ T61] ? net_generic+0x1f/0x240
[ 77.835957][ T61] net_generic+0x137/0x240
[ 77.840395][ T61] call_fib_notifiers+0x23/0x60
[ 77.845304][ T61] fib6_add+0x1bd5/0x4430
[ 77.849707][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 77.856103][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 77.861152][ T61] ? __pfx_fib6_add+0x10/0x10
[ 77.865864][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.870742][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 77.875798][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 77.881630][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.887037][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.891919][ T61] ? ip6_ins_rt+0xf0/0x170
[ 77.896369][ T61] ip6_ins_rt+0x106/0x170
[ 77.900730][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 77.905616][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.910489][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 77.915196][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 77.920243][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 77.925724][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.930599][ T61] ? mark_lock+0x9a/0x350
[ 77.934959][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.939842][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 77.945852][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.952210][ T61] ? __cancel_work+0x26a/0x390
[ 77.957001][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.961878][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 77.967113][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.971989][ T61] ? __cancel_work+0x2ef/0x390
[ 77.976790][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.983154][ T61] addrconf_dad_completed+0x181/0xcd0
[ 77.988570][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 77.994527][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 77.999783][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.004876][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.009767][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.015276][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.021642][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.027395][ T61] process_scheduled_works+0xa02/0x1770
[ 78.032992][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.039006][ T61] ? assign_work+0x364/0x3d0
[ 78.043622][ T61] worker_thread+0x86d/0xd70
[ 78.048241][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.054174][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.059229][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.064420][ T61] kthread+0x2f2/0x390
[ 78.068528][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.073668][ T61] ? __pfx_kthread+0x10/0x10
[ 78.078288][ T61] ret_from_fork+0x4d/0x80
[ 78.082745][ T61] ? __pfx_kthread+0x10/0x10
[ 78.087372][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.092213][ T61] </TASK>
[ 78.095242][ T61]
[ 78.097572][ T61] Allocated by task 5073:
[ 78.101905][ T61] kasan_save_track+0x3f/0x80
[ 78.106607][ T61] __kasan_kmalloc+0x98/0xb0
[ 78.111229][ T61] __kmalloc+0x233/0x4a0
[ 78.115490][ T61] copy_net_ns+0x10e/0x7b0
[ 78.119929][ T61] create_new_namespaces+0x425/0x7b0
[ 78.125249][ T61] unshare_nsproxy_namespaces+0x124/0x180
[ 78.130996][ T61] ksys_unshare+0x619/0xc10
[ 78.135525][ T61] __x64_sys_unshare+0x38/0x40
[ 78.140320][ T61] do_syscall_64+0xfd/0x240
[ 78.144846][ T61] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 78.150767][ T61]
[ 78.153098][ T61] Freed by task 5085:
[ 78.157087][ T61] kasan_save_track+0x3f/0x80
[ 78.161793][ T61] kasan_save_free_info+0x40/0x50
[ 78.166858][ T61] poison_slab_object+0xa6/0xe0
[ 78.171748][ T61] __kasan_slab_free+0x37/0x60
[ 78.176539][ T61] kfree+0x14a/0x380
[ 78.180452][ T61] net_drop_ns+0x6e/0xc0
[ 78.184724][ T61] iterate_cleanup_work+0x1d2/0x260
[ 78.189945][ T61] process_scheduled_works+0xa02/0x1770
[ 78.195511][ T61] worker_thread+0x86d/0xd70
[ 78.200123][ T61] kthread+0x2f2/0x390
[ 78.204225][ T61] ret_from_fork+0x4d/0x80
[ 78.208678][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.213470][ T61]
[ 78.215805][ T61] The buggy address belongs to the object at ffff88802a43e800
[ 78.215805][ T61] which belongs to the cache kmalloc-1k of size 1024
[ 78.229884][ T61] The buggy address is located 40 bytes inside of
[ 78.229884][ T61] freed 1024-byte region [ffff88802a43e800, ffff88802a43ec00)
[ 78.243716][ T61]
[ 78.246057][ T61] The buggy address belongs to the physical page:
executing program
[ 78.252475][ T61] page:ffffea0000a90e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a438
[ 78.262645][ T61] head:ffffea0000a90e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.271623][ T61] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 78.280054][ T61] page_type: 0xffffffff()
[ 78.284404][ T61] raw: 00fff00000000840 ffff888014c41dc0 0000000000000000 dead000000000001
[ 78.293008][ T61] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 78.301607][ T61] page dumped because: kasan: bad access detected
[ 78.308035][ T61] page_owner tracks the page as allocated
[ 78.313762][ T61] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17639541498, free_ts 0
[ 78.333517][ T61] post_alloc_hook+0x1ea/0x210
[ 78.338325][ T61] get_page_from_freelist+0x33ea/0x3580
[ 78.343899][ T61] __alloc_pages+0x256/0x680
[ 78.348509][ T61] alloc_slab_page+0x5f/0x160
[ 78.353214][ T61] new_slab+0x84/0x2f0
[ 78.357310][ T61] ___slab_alloc+0xc73/0x1260
[ 78.362015][ T61] __kmalloc+0x2e5/0x4a0
[ 78.366275][ T61] ops_init+0x203/0x610
[ 78.370463][ T61] register_pernet_operations+0x2cb/0x660
[ 78.376214][ T61] register_pernet_subsys+0x28/0x40
[ 78.381450][ T61] ip6table_nat_init+0x39/0x80
[ 78.386249][ T61] do_one_initcall+0x23a/0x830
[ 78.391039][ T61] do_initcall_level+0x157/0x210
[ 78.395998][ T61] do_initcalls+0x3f/0x80
[ 78.400347][ T61] kernel_init_freeable+0x435/0x5d0
[ 78.405573][ T61] kernel_init+0x1d/0x2a0
[ 78.409923][ T61] page_owner free stack trace missing
[ 78.415297][ T61]
[ 78.417632][ T61] Memory state around the buggy address:
[ 78.423274][ T61] ffff88802a43e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.431349][ T61] ffff88802a43e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.439423][ T61] >ffff88802a43e800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.447489][ T61] ^
[ 78.452872][ T61] ffff88802a43e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.460943][ T61] ffff88802a43e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.469270][ T61] ==================================================================
[ 78.477394][ T61] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 78.485047][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 78.495225][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 78.505310][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 78.511434][ T61] Call Trace:
[ 78.514731][ T61] <TASK>
[ 78.517685][ T61] dump_stack_lvl+0x241/0x360
[ 78.522408][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 78.527653][ T61] ? __pfx__printk+0x10/0x10
[ 78.532296][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.537188][ T61] ? vscnprintf+0x5d/0x90
[ 78.541544][ T61] panic+0x349/0x860
[ 78.545472][ T61] ? check_panic_on_warn+0x21/0xb0
[ 78.550616][ T61] ? __pfx_panic+0x10/0x10
[ 78.555063][ T61] ? mark_lock+0x9a/0x350
[ 78.559419][ T61] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 78.565358][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.570235][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.576165][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.582538][ T61] ? print_report+0x502/0x550
[ 78.587259][ T61] check_panic_on_warn+0x86/0xb0
[ 78.592247][ T61] ? net_generic+0x137/0x240
[ 78.596863][ T61] end_report+0x6e/0x140
[ 78.601143][ T61] kasan_report+0x154/0x180
[ 78.605683][ T61] ? net_generic+0x137/0x240
[ 78.610299][ T61] ? net_generic+0x1f/0x240
[ 78.614828][ T61] net_generic+0x137/0x240
[ 78.619269][ T61] call_fib_notifiers+0x23/0x60
[ 78.624143][ T61] fib6_add+0x1bd5/0x4430
[ 78.628522][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.634889][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 78.639942][ T61] ? __pfx_fib6_add+0x10/0x10
[ 78.644649][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.649561][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 78.654627][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 78.660470][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 78.665884][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.670772][ T61] ? ip6_ins_rt+0xf0/0x170
[ 78.675223][ T61] ip6_ins_rt+0x106/0x170
[ 78.679588][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 78.684474][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.689354][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 78.694064][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 78.699112][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 78.704684][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.709561][ T61] ? mark_lock+0x9a/0x350
[ 78.713916][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.718789][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 78.724967][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.731325][ T61] ? __cancel_work+0x26a/0x390
[ 78.736127][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.741007][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 78.746238][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.751121][ T61] ? __cancel_work+0x2ef/0x390
[ 78.755923][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.762290][ T61] addrconf_dad_completed+0x181/0xcd0
[ 78.767717][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 78.773655][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 78.778900][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.783967][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.788852][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.794358][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.800727][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.806474][ T61] process_scheduled_works+0xa02/0x1770
[ 78.812067][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.818082][ T61] ? assign_work+0x364/0x3d0
[ 78.822754][ T61] worker_thread+0x86d/0xd70
[ 78.827425][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.833368][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.838514][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.843673][ T61] kthread+0x2f2/0x390
[ 78.847789][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.852931][ T61] ? __pfx_kthread+0x10/0x10
[ 78.857554][ T61] ret_from_fork+0x4d/0x80
[ 78.862007][ T61] ? __pfx_kthread+0x10/0x10
[ 78.866628][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.871440][ T61] </TASK>
[ 78.874677][ T61] Kernel Offset: disabled
[ 78.878995][ T61] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1837125112=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0ee3535ea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0ee3535ea8ff21d50e44372bb1cfd147e299ab5b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16af0699180000
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=148bd8f3180000
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-05 3:00 ` syzbot
` (2 preceding siblings ...)
2024-04-06 22:48 ` Hillf Danton
@ 2024-04-07 10:33 ` Hillf Danton
2024-04-07 11:08 ` syzbot
3 siblings, 1 reply; 14+ messages in thread
From: Hillf Danton @ 2024-04-07 10:33 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,6 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
+ refcount_inc(&net->passive);
get_net(net);
netns_tracker_alloc(net, tracker, gfp);
return net;
@@ -362,6 +363,7 @@ static inline void put_net_track(struct
{
__netns_tracker_free(net, tracker, true);
put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--- x/net/netfilter/nf_nat_masquerade.c
+++ y/net/netfilter/nf_nat_masquerade.c
@@ -123,11 +123,12 @@ static void nf_nat_masq_schedule(struct
INIT_WORK(&w->work, iterate_cleanup_work);
w->ifindex = ifindex;
w->net = net;
- netns_tracker_alloc(net, &w->ns_tracker, gfp_flags);
+ get_net_track(net, &w->ns_tracker, gfp_flags);
w->iter = iter;
if (addr)
w->addr = *addr;
schedule_work(&w->work);
+ put_net(net);
return;
}
--
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2024-04-07 10:33 ` Hillf Danton
@ 2024-04-07 11:08 ` syzbot
0 siblings, 0 replies; 14+ messages in thread
From: syzbot @ 2024-04-07 11:08 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in cleanup_net
__do_sys_unshare kernel/fork.c:3393 [inline]
__se_sys_unshare kernel/fork.c:3391 [inline]
__x64_sys_unshare+0x38/0x40 kernel/fork.c:3391
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1057 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Modules linked in:
CPU: 1 PID: 1057 Comm: kworker/u8:7 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 08 e7 9f 06 eb 1a e8 f1 d1 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 f0 e6 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 5b 23 19 fd 48 89
RSP: 0018:ffffc90003c579e0 EFLAGS: 00010246
RAX: 75214a9c4e67f100 RBX: ffff88807a2b01d8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
RBP: ffffc90003c57ab0 R08: ffffffff92ce55ef R09: 1ffffffff259cabd
R10: dffffc0000000000 R11: fffffbfff259cabe R12: 1ffff1100fc58348
R13: dead000000000100 R14: ffff88807a2b0228 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f71ec36bfe4 CR3: 000000002dd64000 CR4: 0000000000350ef0
Call Trace:
<TASK>
net_free net/core/net_namespace.c:462 [inline]
cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f2/0x390 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16ad098d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=165c53d3180000
^ permalink raw reply [flat|nested] 14+ messages in thread
* [syzbot] [net?] WARNING in cleanup_net (3)
@ 2023-11-30 8:42 xingwei lee
2023-11-30 8:46 ` Eric Dumazet
0 siblings, 1 reply; 14+ messages in thread
From: xingwei lee @ 2023-11-30 8:42 UTC (permalink / raw)
To: syzbot+9ada62e1dc03fdc41982
Cc: davem, Eric Dumazet, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
Hello
I reproduced this bug with repro.txt and repro.c
=* repro.txt =*
syz_emit_ethernet(0x4a, &(0x7f0000000000)={@local, @empty, @void,
{@ipv6={0x86dd, @tcp={0x0, 0x6, "0d0200", 0x14, 0x6, 0x0, @empty,
@local, {[], {{0x0, 0x4001, 0x41424344, 0x41424344, 0x0, 0x0, 0x5,
0x2}}}}}}}, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0,
0x0, 0x0, 0x0)
mount$bind(&(0x7f0000000000)='./file0\x00',
&(0x7f0000000040)='./file0\x00', 0x0, 0x1010, 0x0)
pivot_root(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='./file0\x00')
=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
#include <linux/genetlink.h>
#include <linux/if_addr.h>
#include <linux/if_ether.h>
#include <linux/if_link.h>
#include <linux/if_tun.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/loop.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/tcp.h>
#include <linux/veth.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
static __thread int clone_ongoing;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) {
exit(sig);
}
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv,
1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; }
else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok;
})
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len)
*(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off),
(bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off),
(bf_len))))
struct csum_inet {
uint32_t acc;
};
static void csum_inet_init(struct csum_inet* csum)
{
csum->acc = 0;
}
static void csum_inet_update(struct csum_inet* csum, const uint8_t*
data, size_t length)
{
if (length == 0)
return;
size_t i = 0;
for (; i < length - 1; i += 2)
csum->acc += *(uint16_t*)&data[i];
if (length & 1)
csum->acc += le16toh((uint16_t)data[length - 1]);
while (csum->acc > 0xffff)
csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}
static uint16_t csum_inet_digest(struct csum_inet* csum)
{
return ~csum->acc;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};
static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size)
{
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(struct nlmsg* nlmsg, int typ,
const void* data, int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0)
memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}
static void netlink_nest(struct nlmsg* nlmsg, int typ)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_type = typ;
nlmsg->pos += sizeof(*attr);
nlmsg->nested[nlmsg->nesting++] = attr;
}
static void netlink_done(struct nlmsg* nlmsg)
{
struct nlattr* attr = nlmsg->nested[--nlmsg->nesting];
attr->nla_len = nlmsg->pos - (char*)attr;
}
static int netlink_send_ext(struct nlmsg* nlmsg, int sock,
uint16_t reply_type, int* reply_len, bool dofail)
{
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct
sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail)
exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len)
*reply_len = 0;
if (n < 0) {
if (dofail)
exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE)
return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}
static int netlink_send(struct nlmsg* nlmsg, int sock)
{
return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}
static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
const char* family_name, bool dofail)
{
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = CTRL_CMD_GETFAMILY;
netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
strnlen(family_name, GENL_NAMSIZ - 1) + 1);
int n = 0;
int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
if (err < 0) {
return -1;
}
uint16_t id = 0;
struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
NLMSG_ALIGN(sizeof(genlhdr)));
for (; (char*)attr < nlmsg->buf + n; attr = (struct
nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
id = *(uint16_t*)(attr + 1);
break;
}
}
if (!id) {
errno = EINVAL;
return -1;
}
recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
return id;
}
static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset,
unsigned int total_len)
{
struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset);
if (offset == total_len || offset + hdr->nlmsg_len > total_len)
return -1;
return hdr->nlmsg_len;
}
static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type,
const char* name, bool up)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr,
sizeof(hdr));
if (name)
netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name));
netlink_nest(nlmsg, IFLA_LINKINFO);
netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type));
}
static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type,
const char* name)
{
netlink_add_device_impl(nlmsg, type, name, false);
netlink_done(nlmsg);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name,
const char* peer)
{
netlink_add_device_impl(nlmsg, "veth", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
netlink_nest(nlmsg, VETH_INFO_PEER);
nlmsg->pos += sizeof(struct ifinfomsg);
netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer));
netlink_done(nlmsg);
netlink_done(nlmsg);
netlink_done(nlmsg);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name)
{
netlink_add_device_impl(nlmsg, "xfrm", name, true);
netlink_nest(nlmsg, IFLA_INFO_DATA);
int if_id = 1;
netlink_attr(nlmsg, 2, &if_id, sizeof(if_id));
netlink_done(nlmsg);
netlink_done(nlmsg);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name,
const char* slave1, const char* slave2)
{
netlink_add_device_impl(nlmsg, "hsr", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
int ifindex1 = if_nametoindex(slave1);
netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
int ifindex2 = if_nametoindex(slave2);
netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
netlink_done(nlmsg);
netlink_done(nlmsg);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const
char* type, const char* name, const char* link)
{
netlink_add_device_impl(nlmsg, type, name, false);
netlink_done(nlmsg);
int ifindex = if_nametoindex(link);
netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const
char* name, const char* link, uint16_t id, uint16_t proto)
{
netlink_add_device_impl(nlmsg, "vlan", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id));
netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto));
netlink_done(nlmsg);
netlink_done(nlmsg);
int ifindex = if_nametoindex(link);
netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const
char* name, const char* link)
{
netlink_add_device_impl(nlmsg, "macvlan", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
uint32_t mode = MACVLAN_MODE_BRIDGE;
netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode));
netlink_done(nlmsg);
netlink_done(nlmsg);
int ifindex = if_nametoindex(link);
netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const
char* name, uint32_t vni, struct in_addr* addr4, struct in6_addr*
addr6)
{
netlink_add_device_impl(nlmsg, "geneve", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni));
if (addr4)
netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4));
if (addr6)
netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6));
netlink_done(nlmsg);
netlink_done(nlmsg);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
#define IFLA_IPVLAN_FLAGS 2
#define IPVLAN_MODE_L3S 2
#undef IPVLAN_F_VEPA
#define IPVLAN_F_VEPA 2
static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const
char* name, const char* link, uint16_t mode, uint16_t flags)
{
netlink_add_device_impl(nlmsg, "ipvlan", name, false);
netlink_nest(nlmsg, IFLA_INFO_DATA);
netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode));
netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags));
netlink_done(nlmsg);
netlink_done(nlmsg);
int ifindex = if_nametoindex(link);
netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static void netlink_device_change(struct nlmsg* nlmsg, int sock, const
char* name, bool up,
const char* master, const void* mac, int macsize,
const char* new_name)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
hdr.ifi_index = if_nametoindex(name);
netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
if (new_name)
netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name));
if (master) {
int ifindex = if_nametoindex(master);
netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
}
if (macsize)
netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev,
const void* addr, int addrsize)
{
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
sizeof(hdr));
netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize);
netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize);
return netlink_send(nlmsg, sock);
}
static void netlink_add_addr4(struct nlmsg* nlmsg, int sock,
const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr));
if (err < 0) {
}
}
static void netlink_add_addr6(struct nlmsg* nlmsg, int sock,
const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr));
if (err < 0) {
}
}
static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name,
const void* addr, int addrsize, const void* mac, int macsize)
{
struct ndmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ndm_ifindex = if_nametoindex(name);
hdr.ndm_state = NUD_PERMANENT;
netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr,
sizeof(hdr));
netlink_attr(nlmsg, NDA_DST, addr, addrsize);
netlink_attr(nlmsg, NDA_LLADDR, mac, macsize);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static struct nlmsg nlmsg;
static int tunfd = -1;
#define TUN_IFACE "syz_tun"
#define LOCAL_MAC 0xaaaaaaaaaaaa
#define REMOTE_MAC 0xaaaaaaaaaabb
#define LOCAL_IPV4 "172.20.20.170"
#define REMOTE_IPV4 "172.20.20.187"
#define LOCAL_IPV6 "fe80::aa"
#define REMOTE_IPV6 "fe80::bb"
#define IFF_NAPI 0x0010
static void initialize_tun(void)
{
tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
if (tunfd == -1) {
printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
printf("otherwise fuzzing or reproducing might not work as intended\n");
return;
}
const int kTunFd = 200;
if (dup2(tunfd, kTunFd) < 0)
exit(1);
close(tunfd);
tunfd = kTunFd;
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
exit(1);
}
char sysctl[64];
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
write_file(sysctl, "0");
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
write_file(sysctl, "0");
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4);
netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6);
uint64_t macaddr = REMOTE_MAC;
struct in_addr in_addr;
inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr,
sizeof(in_addr), &macaddr, ETH_ALEN);
struct in6_addr in6_addr;
inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr,
sizeof(in6_addr), &macaddr, ETH_ALEN);
macaddr = LOCAL_MAC;
netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr,
ETH_ALEN, NULL);
close(sock);
}
#define DEVLINK_FAMILY_NAME "devlink"
#define DEVLINK_CMD_PORT_GET 5
#define DEVLINK_ATTR_BUS_NAME 1
#define DEVLINK_ATTR_DEV_NAME 2
#define DEVLINK_ATTR_NETDEV_NAME 7
static struct nlmsg nlmsg2;
static void initialize_devlink_ports(const char* bus_name, const char* dev_name,
const char* netdev_prefix)
{
struct genlmsghdr genlhdr;
int len, total_len, id, err, offset;
uint16_t netdev_index;
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (sock == -1)
exit(1);
int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (rtsock == -1)
exit(1);
id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true);
if (id == -1)
goto error;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = DEVLINK_CMD_PORT_GET;
netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr));
netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);
err = netlink_send_ext(&nlmsg, sock, id, &total_len, true);
if (err < 0) {
goto error;
}
offset = 0;
netdev_index = 0;
while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) {
struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset +
NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr)));
for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct
nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) {
char* port_name;
char netdev_name[IFNAMSIZ];
port_name = (char*)(attr + 1);
snprintf(netdev_name, sizeof(netdev_name), "%s%d",
netdev_prefix, netdev_index);
netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0,
0, netdev_name);
break;
}
}
offset += len;
netdev_index++;
}
error:
close(rtsock);
close(sock);
}
#define DEV_IPV4 "172.20.20.%d"
#define DEV_IPV6 "fe80::%02x"
#define DEV_MAC 0x00aaaaaaaaaa
static void netdevsim_add(unsigned int addr, unsigned int port_count)
{
write_file("/sys/bus/netdevsim/del_device", "%u", addr);
if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) {
char buf[32];
snprintf(buf, sizeof(buf), "netdevsim%d", addr);
initialize_devlink_ports("netdevsim", buf, "netdevsim");
}
}
#define WG_GENL_NAME "wireguard"
enum wg_cmd {
WG_CMD_GET_DEVICE,
WG_CMD_SET_DEVICE,
};
enum wgdevice_attribute {
WGDEVICE_A_UNSPEC,
WGDEVICE_A_IFINDEX,
WGDEVICE_A_IFNAME,
WGDEVICE_A_PRIVATE_KEY,
WGDEVICE_A_PUBLIC_KEY,
WGDEVICE_A_FLAGS,
WGDEVICE_A_LISTEN_PORT,
WGDEVICE_A_FWMARK,
WGDEVICE_A_PEERS,
};
enum wgpeer_attribute {
WGPEER_A_UNSPEC,
WGPEER_A_PUBLIC_KEY,
WGPEER_A_PRESHARED_KEY,
WGPEER_A_FLAGS,
WGPEER_A_ENDPOINT,
WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
WGPEER_A_LAST_HANDSHAKE_TIME,
WGPEER_A_RX_BYTES,
WGPEER_A_TX_BYTES,
WGPEER_A_ALLOWEDIPS,
WGPEER_A_PROTOCOL_VERSION,
};
enum wgallowedip_attribute {
WGALLOWEDIP_A_UNSPEC,
WGALLOWEDIP_A_FAMILY,
WGALLOWEDIP_A_IPADDR,
WGALLOWEDIP_A_CIDR_MASK,
};
static void netlink_wireguard_setup(void)
{
const char ifname_a[] = "wg0";
const char ifname_b[] = "wg1";
const char ifname_c[] = "wg2";
const char private_a[] =
"\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43";
const char private_b[] =
"\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e";
const char private_c[] =
"\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42";
const char public_a[] =
"\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c";
const char public_b[] =
"\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b";
const char public_c[] =
"\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22";
const uint16_t listen_a = 20001;
const uint16_t listen_b = 20002;
const uint16_t listen_c = 20003;
const uint16_t af_inet = AF_INET;
const uint16_t af_inet6 = AF_INET6;
const struct sockaddr_in endpoint_b_v4 = {
.sin_family = AF_INET,
.sin_port = htons(listen_b),
.sin_addr = {htonl(INADDR_LOOPBACK)}};
const struct sockaddr_in endpoint_c_v4 = {
.sin_family = AF_INET,
.sin_port = htons(listen_c),
.sin_addr = {htonl(INADDR_LOOPBACK)}};
struct sockaddr_in6 endpoint_a_v6 = {
.sin6_family = AF_INET6,
.sin6_port = htons(listen_a)};
endpoint_a_v6.sin6_addr = in6addr_loopback;
struct sockaddr_in6 endpoint_c_v6 = {
.sin6_family = AF_INET6,
.sin6_port = htons(listen_c)};
endpoint_c_v6.sin6_addr = in6addr_loopback;
const struct in_addr first_half_v4 = {0};
const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)};
const struct in6_addr first_half_v6 = {{{0}}};
const struct in6_addr second_half_v6 = {{{0x80}}};
const uint8_t half_cidr = 1;
const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19};
struct genlmsghdr genlhdr = {
.cmd = WG_CMD_SET_DEVICE,
.version = 1};
int sock;
int id, err;
sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (sock == -1) {
return;
}
id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true);
if (id == -1)
goto error;
netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1);
netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32);
netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
sizeof(endpoint_b_v4));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[0], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
sizeof(first_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
sizeof(first_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6,
sizeof(endpoint_c_v6));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[1], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
sizeof(second_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
sizeof(second_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
err = netlink_send(&nlmsg, sock);
if (err < 0) {
}
netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1);
netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32);
netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
sizeof(endpoint_a_v6));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[2], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
sizeof(first_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
sizeof(first_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4,
sizeof(endpoint_c_v4));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[3], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
sizeof(second_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
sizeof(second_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
err = netlink_send(&nlmsg, sock);
if (err < 0) {
}
netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1);
netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32);
netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
sizeof(endpoint_a_v6));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[4], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
sizeof(first_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
sizeof(first_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
sizeof(endpoint_b_v4));
netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
&persistent_keepalives[5], 2);
netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
sizeof(second_half_v4));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_nest(&nlmsg, NLA_F_NESTED | 0);
netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
sizeof(second_half_v6));
netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
netlink_done(&nlmsg);
err = netlink_send(&nlmsg, sock);
if (err < 0) {
}
error:
close(sock);
}
static void initialize_netdevices(void)
{
char netdevsim[16];
sprintf(netdevsim, "netdevsim%d", (int)procid);
struct {
const char* type;
const char* dev;
} devtypes[] = {
{"ip6gretap", "ip6gretap0"},
{"bridge", "bridge0"},
{"vcan", "vcan0"},
{"bond", "bond0"},
{"team", "team0"},
{"dummy", "dummy0"},
{"nlmon", "nlmon0"},
{"caif", "caif0"},
{"batadv", "batadv0"},
{"vxcan", "vxcan1"},
{"veth", 0},
{"wireguard", "wg0"},
{"wireguard", "wg1"},
{"wireguard", "wg2"},
};
const char* devmasters[] = {"bridge", "bond", "team", "batadv"};
struct {
const char* name;
int macsize;
bool noipv6;
} devices[] = {
{"lo", ETH_ALEN},
{"sit0", 0},
{"bridge0", ETH_ALEN},
{"vcan0", 0, true},
{"tunl0", 0},
{"gre0", 0},
{"gretap0", ETH_ALEN},
{"ip_vti0", 0},
{"ip6_vti0", 0},
{"ip6tnl0", 0},
{"ip6gre0", 0},
{"ip6gretap0", ETH_ALEN},
{"erspan0", ETH_ALEN},
{"bond0", ETH_ALEN},
{"veth0", ETH_ALEN},
{"veth1", ETH_ALEN},
{"team0", ETH_ALEN},
{"veth0_to_bridge", ETH_ALEN},
{"veth1_to_bridge", ETH_ALEN},
{"veth0_to_bond", ETH_ALEN},
{"veth1_to_bond", ETH_ALEN},
{"veth0_to_team", ETH_ALEN},
{"veth1_to_team", ETH_ALEN},
{"veth0_to_hsr", ETH_ALEN},
{"veth1_to_hsr", ETH_ALEN},
{"hsr0", 0},
{"dummy0", ETH_ALEN},
{"nlmon0", 0},
{"vxcan0", 0, true},
{"vxcan1", 0, true},
{"caif0", ETH_ALEN},
{"batadv0", ETH_ALEN},
{netdevsim, ETH_ALEN},
{"xfrm0", ETH_ALEN},
{"veth0_virt_wifi", ETH_ALEN},
{"veth1_virt_wifi", ETH_ALEN},
{"virt_wifi0", ETH_ALEN},
{"veth0_vlan", ETH_ALEN},
{"veth1_vlan", ETH_ALEN},
{"vlan0", ETH_ALEN},
{"vlan1", ETH_ALEN},
{"macvlan0", ETH_ALEN},
{"macvlan1", ETH_ALEN},
{"ipvlan0", ETH_ALEN},
{"ipvlan1", ETH_ALEN},
{"veth0_macvtap", ETH_ALEN},
{"veth1_macvtap", ETH_ALEN},
{"macvtap0", ETH_ALEN},
{"macsec0", ETH_ALEN},
{"veth0_to_batadv", ETH_ALEN},
{"veth1_to_batadv", ETH_ALEN},
{"batadv_slave_0", ETH_ALEN},
{"batadv_slave_1", ETH_ALEN},
{"geneve0", ETH_ALEN},
{"geneve1", ETH_ALEN},
{"wg0", 0},
{"wg1", 0},
{"wg2", 0},
};
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev);
for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
sprintf(slave0, "%s_slave_0", devmasters[i]);
sprintf(veth0, "veth0_to_%s", devmasters[i]);
netlink_add_veth(&nlmsg, sock, slave0, veth0);
sprintf(slave1, "%s_slave_1", devmasters[i]);
sprintf(veth1, "veth1_to_%s", devmasters[i]);
netlink_add_veth(&nlmsg, sock, slave1, veth1);
sprintf(master, "%s0", devmasters[i]);
netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL);
netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL);
}
netlink_add_xfrm(&nlmsg, sock, "xfrm0");
netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL);
netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL);
netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr");
netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr");
netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL);
netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL);
netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi");
netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0",
"veth1_virt_wifi");
netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan");
netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q));
netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD));
netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan");
netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan");
netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0);
netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan",
IPVLAN_MODE_L3S, IPVLAN_F_VEPA);
netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap");
netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap");
netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap");
char addr[32];
sprintf(addr, DEV_IPV4, 14 + 10);
struct in_addr geneve_addr4;
if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0)
exit(1);
struct in6_addr geneve_addr6;
if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0)
exit(1);
netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0);
netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6);
netdevsim_add((int)procid, 4);
netlink_wireguard_setup();
for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
char addr[32];
sprintf(addr, DEV_IPV4, i + 10);
netlink_add_addr4(&nlmsg, sock, devices[i].name, addr);
if (!devices[i].noipv6) {
sprintf(addr, DEV_IPV6, i + 10);
netlink_add_addr6(&nlmsg, sock, devices[i].name, addr);
}
uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
netlink_device_change(&nlmsg, sock, devices[i].name, true, 0,
&macaddr, devices[i].macsize, NULL);
}
close(sock);
}
static void initialize_netdevices_init(void)
{
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
struct {
const char* type;
int macsize;
bool noipv6;
bool noup;
} devtypes[] = {
{"nr", 7, true},
{"rose", 5, true, true},
};
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
char dev[32], addr[32];
sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
netlink_add_addr4(&nlmsg, sock, dev, addr);
if (!devtypes[i].noipv6) {
sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
netlink_add_addr6(&nlmsg, sock, dev, addr);
}
int macsize = devtypes[i].macsize;
uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 *
(macsize - 2))) +
(procid << (8 * (macsize - 1)));
netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0,
&macaddr, macsize, NULL);
}
close(sock);
}
static int read_tun(char* data, int size)
{
if (tunfd < 0)
return -1;
int rv = read(tunfd, data, size);
if (rv < 0) {
if (errno == EAGAIN || errno == EBADFD)
return -1;
exit(1);
}
return rv;
}
static long syz_emit_ethernet(volatile long a0, volatile long a1,
volatile long a2)
{
if (tunfd < 0)
return (uintptr_t)-1;
uint32_t length = a0;
char* data = (char*)a1;
return write(tunfd, data, length);
}
static void flush_tun()
{
char data[1000];
while (read_tun(&data[0], sizeof(data)) != -1) {
}
}
#define MAX_FDS 30
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s,
const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {
3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {
0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2,
3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
8193, 12289, 16385, 24577};
static const short dext[30] = {
0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6,
7, 7, 8, 8, 9, 9, 10, 10, 11, 11,
12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] =
{16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(
unsigned char* dest,
unsigned long* destlen,
const unsigned char* source,
unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source, unsigned
long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE
| MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static long syz_mount_image(
volatile long fsarg,
volatile long dir,
volatile long flags,
volatile long optsarg,
volatile long change_dir,
volatile unsigned long size,
volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, loopfd = -1, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') && (after ==
'\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device) {
ioctl(loopfd, LOOP_CLR_FD, 0);
close(loopfd);
}
errno = err;
return res;
}
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void setup_binderfs()
{
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
initialize_netdevices_init();
if (unshare(CLONE_NEWNET)) {
}
write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
initialize_tun();
initialize_netdevices();
setup_binderfs();
loop();
exit(1);
}
#define FS_IOC_SETFLAGS _IOW('f', 2, long)
static void remove_dir(const char* dir)
{
int iter = 0;
DIR* dp = 0;
retry:
while (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
}
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exit(1);
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
while (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
}
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
if (unlink(filename) == 0)
break;
if (errno == EPERM) {
int fd = open(filename, O_RDONLY);
if (fd != -1) {
long flags = 0;
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
}
close(fd);
continue;
}
}
if (errno == EROFS) {
break;
}
if (errno != EBUSY || i > 100)
exit(1);
if (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW))
exit(1);
}
}
closedir(dp);
for (int i = 0;; i++) {
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EPERM) {
int fd = open(dir, O_RDONLY);
if (fd != -1) {
long flags = 0;
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
}
close(fd);
continue;
}
}
if (errno == EROFS) {
break;
}
if (errno == EBUSY) {
if (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW))
exit(1);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exit(1);
}
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort),
"/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void reset_loop()
{
char buf[64];
snprintf(buf, sizeof(buf), "/dev/loop%llu", procid);
int loopfd = open(buf, O_RDWR);
if (loopfd != -1) {
ioctl(loopfd, LOOP_CLR_FD, 0);
close(loopfd);
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
flush_tun();
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void close_fds()
{
for (int fd = 3; fd < MAX_FDS; fd++)
close(fd);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
reset_loop();
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
setup_test();
execute_one();
close_fds();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
void execute_one(void)
{
NONFAILING(memset((void*)0x20000000, 170, 5));
NONFAILING(*(uint8_t*)0x20000005 = 0xaa);
NONFAILING(memset((void*)0x20000006, 0, 6));
NONFAILING(*(uint16_t*)0x2000000c = htobe16(0x86dd));
NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000000e, 0, 0, 4));
NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000000e, 6, 4, 4));
NONFAILING(memcpy((void*)0x2000000f, "\x0d\x02\x00", 3));
NONFAILING(*(uint16_t*)0x20000012 = htobe16(0x14));
NONFAILING(*(uint8_t*)0x20000014 = 6);
NONFAILING(*(uint8_t*)0x20000015 = 0);
NONFAILING(memset((void*)0x20000016, 0, 16));
NONFAILING(*(uint8_t*)0x20000026 = 0xfe);
NONFAILING(*(uint8_t*)0x20000027 = 0x80);
NONFAILING(memset((void*)0x20000028, 0, 13));
NONFAILING(*(uint8_t*)0x20000035 = 0xaa);
NONFAILING(*(uint16_t*)0x20000036 = htobe16(0));
NONFAILING(*(uint16_t*)0x20000038 = htobe16(0x4001));
NONFAILING(*(uint32_t*)0x2000003a = 0x41424344);
NONFAILING(*(uint32_t*)0x2000003e = 0x41424344);
NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20000042, 0, 0, 1));
NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20000042, 0, 1, 3));
NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20000042, 5, 4, 4));
NONFAILING(*(uint8_t*)0x20000043 = 2);
NONFAILING(*(uint16_t*)0x20000044 = htobe16(0));
NONFAILING(*(uint16_t*)0x20000046 = htobe16(0));
NONFAILING(*(uint16_t*)0x20000048 = htobe16(0));
struct csum_inet csum_1;
csum_inet_init(&csum_1);
NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x20000016, 16));
NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 16));
uint32_t csum_1_chunk_2 = 0x14000000;
csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4);
uint32_t csum_1_chunk_3 = 0x6000000;
csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4);
NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x20000036, 20));
NONFAILING(*(uint16_t*)0x20000046 = csum_inet_digest(&csum_1));
NONFAILING(syz_emit_ethernet(/*len=*/0x4a, /*packet=*/0x20000000,
/*frags=*/0));
NONFAILING(memcpy((void*)0x20000080, "./file0\000", 8));
NONFAILING(syz_mount_image(/*fs=*/0, /*dir=*/0x20000080,
/*flags=*/0, /*opts=*/0, /*chdir=*/0, /*size=*/0, /*img=*/0));
NONFAILING(memcpy((void*)0x20000000, "./file0\000", 8));
NONFAILING(memcpy((void*)0x20000040, "./file0\000", 8));
syscall(__NR_mount, /*src=*/0x20000000ul, /*dst=*/0x20000040ul,
/*type=*/0ul, /*flags=*/0x1010ul, /*data=*/0ul);
NONFAILING(memcpy((void*)0x200000c0, "./file0\000", 8));
NONFAILING(memcpy((void*)0x20000100, "./file0\000", 8));
syscall(__NR_pivot_root, /*new_root=*/0x200000c0ul, /*put_old=*/0x20000100ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
install_segv_handler();
for (procid = 0; procid < 4; procid++) {
if (fork() == 0) {
use_temporary_dir();
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}
also
https://gist.github.com/xrivendell7/44780af4a9dededc5ff7a7c0583ce3f1
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2023-11-30 8:42 xingwei lee
@ 2023-11-30 8:46 ` Eric Dumazet
2023-11-30 9:38 ` Eric Dumazet
0 siblings, 1 reply; 14+ messages in thread
From: Eric Dumazet @ 2023-11-30 8:46 UTC (permalink / raw)
To: xingwei lee
Cc: syzbot+9ada62e1dc03fdc41982, davem, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs
On Thu, Nov 30, 2023 at 9:42 AM xingwei lee <xrivendell7@gmail.com> wrote:
>
> Hello
> I reproduced this bug with repro.txt and repro.c
>
>
Is your syzbot instance ready to accept patches for testing ?
Otherwise, a repro which happens to work 'by luck' might not work for me.
The bug here is a race condition with rds subsystem being dismantled
at netns dismantle, the 'repro' could be anything really.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2023-11-30 8:46 ` Eric Dumazet
@ 2023-11-30 9:38 ` Eric Dumazet
2023-12-01 0:39 ` xingwei lee
0 siblings, 1 reply; 14+ messages in thread
From: Eric Dumazet @ 2023-11-30 9:38 UTC (permalink / raw)
To: xingwei lee
Cc: syzbot+9ada62e1dc03fdc41982, davem, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs
On Thu, Nov 30, 2023 at 9:46 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Thu, Nov 30, 2023 at 9:42 AM xingwei lee <xrivendell7@gmail.com> wrote:
> >
> > Hello
> > I reproduced this bug with repro.txt and repro.c
> >
> >
>
>
> Is your syzbot instance ready to accept patches for testing ?
>
> Otherwise, a repro which happens to work 'by luck' might not work for me.
>
> The bug here is a race condition with rds subsystem being dismantled
> at netns dismantle, the 'repro' could be anything really.
Can you test the following patch ?
Thanks.
diff --git a/net/core/sock.c b/net/core/sock.c
index fef349dd72fa735b5915fc03e29cbb155b2aff2c..36d2871ac24f383e4e5d1af1168000f076011aae
100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2197,8 +2197,6 @@ static void __sk_destruct(struct rcu_head *head)
if (likely(sk->sk_net_refcnt))
put_net_track(sock_net(sk), &sk->ns_tracker);
- else
- __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
sk_prot_free(sk->sk_prot_creator, sk);
}
@@ -2212,6 +2210,9 @@ void sk_destruct(struct sock *sk)
use_call_rcu = true;
}
+ if (unlikely(!sk->sk_net_refcnt))
+ __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
+
if (use_call_rcu)
call_rcu(&sk->sk_rcu, __sk_destruct);
else
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [syzbot] [net?] WARNING in cleanup_net (3)
2023-11-30 9:38 ` Eric Dumazet
@ 2023-12-01 0:39 ` xingwei lee
[not found] ` <20231201111253.1029-1-hdanton@sina.com>
0 siblings, 1 reply; 14+ messages in thread
From: xingwei lee @ 2023-12-01 0:39 UTC (permalink / raw)
To: Eric Dumazet
Cc: syzbot+9ada62e1dc03fdc41982, davem, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs
I forgot to CC others, repeat mail.
Sorry, Dumazet. I found this bug with my modified syzkaller in my
local environment.
You are right, I crashed this bug about 10 times and used some
heuristic solutions to increase the chances of luck with modifying
syz-repro during this process.
I can confirm the reproduction can trigger the bug soon and I hope it helps you.
I'll test your patch and give your feedback ASAP.
I apply your patch at
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b47bc037bd44f142ac09848e8d3ecccc726be99
with a little fix:
diff --git a/net/core/sock.c b/net/core/sock.c
index fef349dd72fa..36d2871ac24f 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2197,8 +2197,6 @@ static void __sk_destruct(struct rcu_head *head)
if (likely(sk->sk_net_refcnt))
put_net_track(sock_net(sk), &sk->ns_tracker);
- else
- __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
sk_prot_free(sk->sk_prot_creator, sk);
}
@@ -2212,6 +2210,9 @@ void sk_destruct(struct sock *sk)
use_call_rcu = true;
}
+ if (unlikely(!sk->sk_net_refcnt))
+ __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
+
if (use_call_rcu)
call_rcu(&sk->sk_rcu, __sk_destruct);
else
and It's also trigger the crash like below:
root@syzkaller:~# ./a.out
[ 114.072761][ T8229] chnl_net:caif_netlink_parms(): no params data found
[ 114.326619][ T8230] chnl_net:caif_netlink_parms(): no params data found
[ 114.340413][ T8231] chnl_net:caif_netlink_parms(): no params data found
[ 114.351274][ T8229] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.352623][ T8229] bridge0: port 1(bridge_slave_0) entered disabled state
[ 114.353589][ T8229] bridge_slave_0: entered allmulticast mode
[ 114.360175][ T8229] bridge_slave_0: entered promiscuous mode
[ 114.362593][ T8232] chnl_net:caif_netlink_parms(): no params data found
[ 114.367362][ T8229] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.368464][ T8229] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.369410][ T8229] bridge_slave_1: entered allmulticast mode
[ 114.371429][ T8229] bridge_slave_1: entered promiscuous mode
[ 114.510456][ T8229] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 114.530922][ T8229] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 114.683144][ T8231] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.684040][ T8231] bridge0: port 1(bridge_slave_0) entered disabled state
[ 114.684851][ T8231] bridge_slave_0: entered allmulticast mode
[ 114.686531][ T8231] bridge_slave_0: entered promiscuous mode
[ 114.694605][ T8230] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.695945][ T8230] bridge0: port 1(bridge_slave_0) entered disabled state
[ 114.696748][ T8230] bridge_slave_0: entered allmulticast mode
[ 114.700798][ T8230] bridge_slave_0: entered promiscuous mode
[ 114.705397][ T8229] team0: Port device team_slave_0 added
[ 114.706511][ T8230] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.707322][ T8230] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.708736][ T8230] bridge_slave_1: entered allmulticast mode
[ 114.710482][ T8230] bridge_slave_1: entered promiscuous mode
[ 114.711909][ T8232] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.713037][ T8232] bridge0: port 1(bridge_slave_0) entered disabled state
[ 114.713871][ T8232] bridge_slave_0: entered allmulticast mode
[ 114.715582][ T8232] bridge_slave_0: entered promiscuous mode
[ 114.736327][ T8231] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.737133][ T8231] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.737924][ T8231] bridge_slave_1: entered allmulticast mode
[ 114.740444][ T8231] bridge_slave_1: entered promiscuous mode
[ 114.743350][ T8229] team0: Port device team_slave_1 added
[ 114.761950][ T8232] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.762774][ T8232] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.763566][ T8232] bridge_slave_1: entered allmulticast mode
[ 114.765230][ T8232] bridge_slave_1: entered promiscuous mode
[ 114.788150][ T8230] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 114.847766][ T8230] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 114.892980][ T8231] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 114.894626][ T8229] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 114.895367][ T8229] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of b.
[ 114.898001][ T8229] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 114.946038][ T8231] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 114.949398][ T8230] team0: Port device team_slave_0 added
[ 114.950803][ T8229] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 114.951699][ T8229] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of b.
[ 114.954488][ T8229] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 114.957273][ T8230] team0: Port device team_slave_1 added
[ 114.964779][ T8232] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 115.045328][ T8232] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 115.048496][ T8231] team0: Port device team_slave_0 added
[ 115.051434][ T8231] team0: Port device team_slave_1 added
[ 115.069053][ T8230] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 115.069772][ T8230] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of b.
[ 115.072359][ T8230] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 115.140116][ T8230] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 115.140850][ T8230] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of b.
[ 115.143422][ T8230] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 115.173924][ T8231] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 115.174643][ T8231] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of b.
[ 115.177201][ T8231] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 115.203430][ T8232] team0: Port device team_slave_0 added
[ 115.209003][ T8229] hsr_slave_0: entered promiscuous mode
[ 115.210517][ T8229] hsr_slave_1: entered promiscuous mode
[ 115.212839][ T8231] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 115.213564][ T8231] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of b.
[ 115.216165][ T8231] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 115.226076][ T8232] team0: Port device team_slave_1 added
[ 115.275957][ T8232] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 115.276680][ T8232] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of b.
[ 115.279865][ T8232] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 115.373684][ T8232] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 115.374593][ T8232] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of b.
[ 115.377603][ T8232] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 115.395755][ T8230] hsr_slave_0: entered promiscuous mode
[ 115.399850][ T8230] hsr_slave_1: entered promiscuous mode
[ 115.401087][ T8230] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 115.402250][ T8230] Cannot create hsr debugfs directory
[ 115.407395][ T8231] hsr_slave_0: entered promiscuous mode
[ 115.409607][ T8231] hsr_slave_1: entered promiscuous mode
[ 115.410872][ T8231] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 115.411646][ T8231] Cannot create hsr debugfs directory
[ 115.501202][ T8232] hsr_slave_0: entered promiscuous mode
[ 115.502669][ T8232] hsr_slave_1: entered promiscuous mode
[ 115.503788][ T8232] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 115.504564][ T8232] Cannot create hsr debugfs directory
[ 115.938476][ T8229] netdevsim netdevsim3 netdevsim0: renamed from eth0
[ 115.946200][ T8229] netdevsim netdevsim3 netdevsim1: renamed from eth1
[ 115.950819][ T8229] netdevsim netdevsim3 netdevsim2: renamed from eth2
[ 115.954893][ T8229] netdevsim netdevsim3 netdevsim3: renamed from eth3
[ 116.003434][ T8231] netdevsim netdevsim1 netdevsim0: renamed from eth0
[ 116.041993][ T8231] netdevsim netdevsim1 netdevsim1: renamed from eth1
[ 116.045749][ T8231] netdevsim netdevsim1 netdevsim2: renamed from eth2
[ 116.067822][ T8231] netdevsim netdevsim1 netdevsim3: renamed from eth3
[ 116.092189][ T8230] netdevsim netdevsim2 netdevsim0: renamed from eth0
[ 116.097375][ T8230] netdevsim netdevsim2 netdevsim1: renamed from eth1
[ 116.105152][ T8230] netdevsim netdevsim2 netdevsim2: renamed from eth2
[ 116.117443][ T8230] netdevsim netdevsim2 netdevsim3: renamed from eth3
[ 116.166762][ T8232] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 116.171211][ T8232] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 116.174915][ T8232] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 116.179722][ T8232] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 116.304475][ T8229] 8021q: adding VLAN 0 to HW filter on device bond0
[ 116.330276][ T8231] 8021q: adding VLAN 0 to HW filter on device bond0
[ 116.352903][ T8229] 8021q: adding VLAN 0 to HW filter on device team0
[ 116.361652][ T8230] 8021q: adding VLAN 0 to HW filter on device bond0
[ 116.368463][ T8231] 8021q: adding VLAN 0 to HW filter on device team0
[ 116.389882][ T791] bridge0: port 1(bridge_slave_0) entered blocking state
[ 116.390859][ T791] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 116.393500][ T791] bridge0: port 2(bridge_slave_1) entered blocking state
[ 116.394306][ T791] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 116.400271][ T8230] 8021q: adding VLAN 0 to HW filter on device team0
[ 116.413712][ T23] bridge0: port 1(bridge_slave_0) entered blocking state
[ 116.414726][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 116.416940][ T23] bridge0: port 1(bridge_slave_0) entered blocking state
[ 116.417923][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 116.455333][T10414] bridge0: port 2(bridge_slave_1) entered blocking state
[ 116.456169][T10414] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 116.469603][ T4567] bridge0: port 2(bridge_slave_1) entered blocking state
[ 116.470452][ T4567] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 116.545064][ T8232] 8021q: adding VLAN 0 to HW filter on device bond0
[ 116.585505][ T8232] 8021q: adding VLAN 0 to HW filter on device team0
[ 116.604097][ T794] bridge0: port 1(bridge_slave_0) entered blocking state
[ 116.604923][ T794] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 116.607359][ T794] bridge0: port 2(bridge_slave_1) entered blocking state
[ 116.608223][ T794] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 116.625942][ T8229] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 116.628671][ T8230] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 116.640122][ T8231] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 116.705689][ T8231] veth0_vlan: entered promiscuous mode
[ 116.732445][ T8229] veth0_vlan: entered promiscuous mode
[ 116.750680][ T8230] veth0_vlan: entered promiscuous mode
[ 116.754121][ T8229] veth1_vlan: entered promiscuous mode
[ 116.767472][ T8232] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 116.769106][ T8231] veth1_vlan: entered promiscuous mode
[ 116.777934][ T8230] veth1_vlan: entered promiscuous mode
[ 116.800068][ T8229] veth0_macvtap: entered promiscuous mode
[ 116.806955][ T8229] veth1_macvtap: entered promiscuous mode
[ 116.836114][ T8231] veth0_macvtap: entered promiscuous mode
[ 116.853502][ T8229] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 116.863525][ T8231] veth1_macvtap: entered promiscuous mode
[ 116.869518][ T8232] veth0_vlan: entered promiscuous mode
[ 116.871213][ T8230] veth0_macvtap: entered promiscuous mode
[ 116.875893][ T8230] veth1_macvtap: entered promiscuous mode
[ 116.879203][ T8231] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 116.880567][ T8231] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.882667][ T8231] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 116.896729][ T8229] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 116.904540][ T8229] netdevsim netdevsim3 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.905714][ T8229] netdevsim netdevsim3 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.906606][ T8229] netdevsim netdevsim3 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.907497][ T8229] netdevsim netdevsim3 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.912478][ T8231] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 116.913556][ T8231] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.915575][ T8231] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 116.930500][ T8230] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 116.931588][ T8230] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.932581][ T8230] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 116.933835][ T8230] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.935827][ T8230] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 116.947967][ T8232] veth1_vlan: entered promiscuous mode
[ 116.959390][ T8230] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 116.960514][ T8230] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.961524][ T8230] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 116.962805][ T8230] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 116.965336][ T8230] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 116.972417][ T8230] netdevsim netdevsim2 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.973541][ T8230] netdevsim netdevsim2 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.974592][ T8230] netdevsim netdevsim2 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.975688][ T8230] netdevsim netdevsim2 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.982689][ T8231] netdevsim netdevsim1 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.983846][ T8231] netdevsim netdevsim1 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.984740][ T8231] netdevsim netdevsim1 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 116.985636][ T8231] netdevsim netdevsim1 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
[ 117.052763][ T8232] veth0_macvtap: entered promiscuous mode
[ 117.125330][ T8232] veth1_macvtap: entered promiscuous mode
[ 117.161855][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 117.162926][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.163915][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 117.164958][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.165942][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 117.167184][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.171068][ T8232] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 117.177910][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 117.179152][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.180147][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 117.181173][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.182155][ T8232] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 117.183208][ T8232] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 117.185430][ T8232] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 117.190533][ T8232] netdevsim netdevsim0 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 117.191440][ T8232] netdevsim netdevsim0 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 117.192319][ T8232] netdevsim netdevsim0 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 117.193220][ T8232] netdevsim netdevsim0 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
[ 119.795002][ T11] netdevsim netdevsim3 netdevsim3
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 119.804616][ T4551] systemd-journald[4551]: Sent WATCHDOG=1 notification.
[ 122.341744][ T11] netdevsim netdevsim3 netdevsim2
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 122.450843][ T11] netdevsim netdevsim3 netdevsim1
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 122.504275][ T11] netdevsim netdevsim3 netdevsim0
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 123.467548][ T11] hsr_slave_0: left promiscuous mode
[ 123.485539][ T11] hsr_slave_1: left promiscuous mode
[ 123.487868][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_0
[ 123.491528][ T11] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 123.495447][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_1
[ 123.496813][ T11] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 123.499352][ T11] bridge_slave_1: left allmulticast mode
[ 123.500320][ T11] bridge_slave_1: left promiscuous mode
[ 123.502166][ T11] bridge0: port 2(bridge_slave_1) entered disabled state
[ 123.507565][ T11] bridge_slave_0: left allmulticast mode
[ 123.510266][ T11] bridge_slave_0: left promiscuous mode
[ 123.511428][ T11] bridge0: port 1(bridge_slave_0) entered disabled state
[ 123.521008][ T11] veth1_macvtap: left promiscuous mode
[ 123.522171][ T11] veth0_macvtap: left promiscuous mode
[ 123.523307][ T11] veth1_vlan: left promiscuous mode
[ 123.524665][ T11] veth0_vlan: left promiscuous mode
[ 123.762113][ T11] team0 (unregistering): Port device team_slave_1 removed
[ 123.774449][ T11] team0 (unregistering): Port device team_slave_0 removed
[ 123.779911][ T11] bond0 (unregistering): (slave bond_slave_1):
Releasing backup interface
[ 123.786093][ T11] bond0 (unregistering): (slave bond_slave_0):
Releasing backup interface
[ 123.864081][ T11] bond0 (unregistering): Released all slaves
[ 124.886124][ T11] netdevsim netdevsim2 netdevsim3
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.002021][ T11] netdevsim netdevsim2 netdevsim2
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.080483][ T11] netdevsim netdevsim2 netdevsim1
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.123863][ T11] netdevsim netdevsim2 netdevsim0
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.278920][ T11] netdevsim netdevsim0 netdevsim3
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.343364][ T11] netdevsim netdevsim0 netdevsim2
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.432573][ T11] netdevsim netdevsim0 netdevsim1
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.524907][ T11] netdevsim netdevsim0 netdevsim0
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.638921][ T11] netdevsim netdevsim1 netdevsim3
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.708761][ T11] netdevsim netdevsim1 netdevsim2
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.843861][ T11] netdevsim netdevsim1 netdevsim1
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 125.902843][ T11] netdevsim netdevsim1 netdevsim0
(unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 127.305317][ T11] hsr_slave_0: left promiscuous mode
[ 127.307575][ T11] hsr_slave_1: left promiscuous mode
[ 127.310229][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_0
[ 127.311917][ T11] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 127.315522][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_1
[ 127.317504][ T11] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 127.321068][ T11] bridge_slave_1: left allmulticast mode
[ 127.322481][ T11] bridge_slave_1: left promiscuous mode
[ 127.324051][ T11] bridge0: port 2(bridge_slave_1) entered disabled state
[ 127.329783][ T11] bridge_slave_0: left allmulticast mode
[ 127.331132][ T11] bridge_slave_0: left promiscuous mode
[ 127.332593][ T11] bridge0: port 1(bridge_slave_0) entered disabled state
[ 127.349619][ T11] hsr_slave_0: left promiscuous mode
[ 127.351993][ T11] hsr_slave_1: left promiscuous mode
[ 127.354448][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_0
[ 127.356190][ T11] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 127.359889][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_1
[ 127.361631][ T11] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 127.364894][ T11] bridge_slave_1: left allmulticast mode
[ 127.366304][ T11] bridge_slave_1: left promiscuous mode
[ 127.367795][ T11] bridge0: port 2(bridge_slave_1) entered disabled state
[ 127.374317][ T11] bridge_slave_0: left allmulticast mode
[ 127.375638][ T11] bridge_slave_0: left promiscuous mode
[ 127.377139][ T11] bridge0: port 1(bridge_slave_0) entered disabled state
[ 127.389196][ T11] hsr_slave_0: left promiscuous mode
[ 127.391219][ T11] hsr_slave_1: left promiscuous mode
[ 127.393432][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_0
[ 127.395198][ T11] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 127.399196][ T11] batman_adv: batadv0: Interface deactivated:
batadv_slave_1
[ 127.400831][ T11] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 127.404132][ T11] bridge_slave_1: left allmulticast mode
[ 127.405385][ T11] bridge_slave_1: left promiscuous mode
[ 127.406979][ T11] bridge0: port 2(bridge_slave_1) entered disabled state
[ 127.411057][ T11] bridge_slave_0: left allmulticast mode
[ 127.412025][ T11] bridge_slave_0: left promiscuous mode
[ 127.413135][ T11] bridge0: port 1(bridge_slave_0) entered disabled state
[ 127.423598][ T11] veth1_macvtap: left promiscuous mode
[ 127.424211][ T11] veth0_macvtap: left promiscuous mode
[ 127.425254][ T11] veth1_vlan: left promiscuous mode
[ 127.425850][ T11] veth0_vlan: left promiscuous mode
[ 127.427781][ T11] veth1_macvtap: left promiscuous mode
[ 127.428744][ T11] veth0_macvtap: left promiscuous mode
[ 127.429592][ T11] veth1_vlan: left promiscuous mode
[ 127.430202][ T11] veth0_vlan: left promiscuous mode
[ 127.431961][ T11] veth1_macvtap: left promiscuous mode
[ 127.432549][ T11] veth0_macvtap: left promiscuous mode
[ 127.433382][ T11] veth1_vlan: left promiscuous mode
[ 127.434000][ T11] veth0_vlan: left promiscuous mode
[ 127.828054][ T11] team0 (unregistering): Port device team_slave_1 removed
[ 127.841985][ T11] team0 (unregistering): Port device team_slave_0 removed
[ 127.852461][ T11] bond0 (unregistering): (slave bond_slave_1):
Releasing backup interface
[ 127.863168][ T11] bond0 (unregistering): (slave bond_slave_0):
Releasing backup interface
[ 127.916740][ T11] bond0 (unregistering): Released all slaves
[ 128.114888][ T11] team0 (unregistering): Port device team_slave_1 removed
[ 128.123304][ T11] team0 (unregistering): Port device team_slave_0 removed
[ 128.138250][ T11] bond0 (unregistering): (slave bond_slave_1):
Releasing backup interface
[ 128.150962][ T11] bond0 (unregistering): (slave bond_slave_0):
Releasing backup interface
[ 128.220915][ T11] bond0 (unregistering): Released all slaves
[ 128.387330][ T11] team0 (unregistering): Port device team_slave_1 removed
[ 128.393487][ T11] team0 (unregistering): Port device team_slave_0 removed
[ 128.400283][ T11] bond0 (unregistering): (slave bond_slave_1):
Releasing backup interface
[ 128.405893][ T11] bond0 (unregistering): (slave bond_slave_0):
Releasing backup interface
[ 128.474976][ T11] bond0 (unregistering): Released all slaves
[ 129.921396][ T11] ref_tracker: net notrefcnt@ffff8880245d9fe0 has
1/1 users at
[ 129.921396][ T11] sk_alloc+0xa8d/0xb90
[ 129.921396][ T11] inet6_create+0x380/0x1290
[ 129.921396][ T11] __sock_create+0x328/0x800
[ 129.921396][ T11] rds_tcp_listen_init+0xd3/0x4e0
[ 129.921396][ T11] rds_tcp_init_net+0x13a/0x3e0
[ 129.921396][ T11] ops_init+0xb9/0x650
[ 129.921396][ T11] setup_net+0x422/0xa40
[ 129.921396][ T11] copy_net_ns+0x2fa/0x660
[ 129.921396][ T11] create_new_namespaces+0x3ea/0xb10
[ 129.921396][ T11] unshare_nsproxy_namespaces+0xc1/0x1f0
[ 129.921396][ T11] ksys_unshare+0x3f5/0x9c0
[ 129.921396][ T11] __x64_sys_unshare+0x31/0x40
[ 129.921396][ T11] do_syscall_64+0x41/0x110
[ 129.921396][ T11] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 129.921396][ T11]
[ 129.934511][ T4551] systemd-journald[4551]: Compressed data object
529 -> 323 using ZSTD
[ 129.934699][ T11] ------------[ cut here ]------------
[ 129.936294][ T11] WARNING: CPU: 1 PID: 11 at
lib/ref_tracker.c:179 ref_tracker_dir_exit+0x3e3/0x680
[ 129.937749][ T11] Modules linked in:
[ 129.938708][ T11] CPU: 1 PID: 11 Comm: kworker/u8:0 Not tainted
6.7.0-rc3-00033-g3b47bc037bd4-dirty #4
[ 129.939985][ T11] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[ 129.941180][ T11] Workqueue: netns cleanup_net
[ 129.941807][ T11] RIP: 0010:ref_tracker_dir_exit+0x3e3/0x680
[ 129.942750][ T11] Code: 0d 02 00 00 4d 39 f5 49 8b 06 4d 89 f7 0f
85 0e ff ff ff 48 8b 2c 24 e8 2b c1 f6 fc 48 8b 74 24 18 4
[ 129.945143][ T11] RSP: 0018:ffffc90000107b78 EFLAGS: 00010286
[ 129.945925][ T11] RAX: 0000000080000000 RBX: dffffc0000000000
RCX: 0000000000000000
[ 129.947126][ T11] RDX: 0000000000000001 RSI: ffffffff8accbc20
RDI: 0000000000000001
[ 129.948142][ T11] RBP: ffff8880245d9fe0 R08: 0000000000000001
R09: fffffbfff24241e9
[ 129.949154][ T11] R10: ffffffff92120f4f R11: 0000000000000003
R12: ffff8880245da030
[ 129.950129][ T11] R13: ffff8880245da030 R14: ffff8880245da030
R15: ffff8880245da030
[ 129.951127][ T11] FS: 0000000000000000(0000)
GS:ffff88823bc00000(0000) knlGS:0000000000000000
[ 129.952236][ T11] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 129.953009][ T11] CR2: 000056418e092340 CR3: 000000000cf77000
CR4: 0000000000750ef0
[ 129.953803][ T11] PKRU: 55555554
[ 129.954177][ T11] Call Trace:
[ 129.954519][ T11] <TASK>
[ 129.954832][ T11] ? show_regs+0x8f/0xa0
[ 129.955459][ T11] ? __warn+0xe6/0x390
[ 129.955889][ T11] ? ref_tracker_dir_exit+0x3e3/0x680
[ 129.956437][ T11] ? report_bug+0x3b9/0x580
[ 129.956924][ T11] ? handle_bug+0x67/0x90
[ 129.957371][ T11] ? exc_invalid_op+0x17/0x40
[ 129.957856][ T11] ? asm_exc_invalid_op+0x1a/0x20
[ 129.958589][ T11] ? ref_tracker_dir_exit+0x3e3/0x680
[ 129.959146][ T11] ? ref_tracker_dir_exit+0x3e2/0x680
[ 129.959797][ T11] ? ref_tracker_dir_snprint+0xd0/0xd0
[ 129.960358][ T11] ? __kmem_cache_free+0xc0/0x180
[ 129.960879][ T11] cleanup_net+0x8d4/0xb20
[ 129.961437][ T11] ? unregister_pernet_device+0x80/0x80
[ 129.962015][ T11] process_one_work+0x886/0x15d0
[ 129.962535][ T11] ? unregister_pernet_device+0x80/0x80
[ 129.963102][ T11] ? workqueue_congested+0x300/0x300
[ 129.963706][ T11] ? assign_work+0x19c/0x240
[ 129.964185][ T11] worker_thread+0x8b9/0x1290
[ 129.964681][ T11] ? process_one_work+0x15d0/0x15d0
[ 129.965216][ T11] kthread+0x2c6/0x3a0
[ 129.965643][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 129.966183][ T11] ? kthread_complete_and_exit+0x40/0x40
[ 129.966780][ T11] ret_from_fork+0x45/0x80
[ 129.967239][ T11] ? kthread_complete_and_exit+0x40/0x40
[ 129.967811][ T11] ret_from_fork_asm+0x11/0x20
[ 129.968539][ T11] </TASK>
[ 129.968865][ T11] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 129.969594][ T11] CPU: 1 PID: 11 Comm: kworker/u8:0 Not tainted
6.7.0-rc3-00033-g3b47bc037bd4-dirty #4
[ 129.970564][ T11] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[ 129.971705][ T11] Workqueue: netns cleanup_net
[ 129.972355][ T11] Call Trace:
[ 129.972699][ T11] <TASK>
[ 129.973000][ T11] dump_stack_lvl+0xd3/0x1b0
[ 129.973481][ T11] panic+0x6dc/0x790
[ 129.973894][ T11] ? panic_smp_self_stop+0xa0/0xa0
[ 129.974464][ T11] ? show_trace_log_lvl+0x363/0x4f0
[ 129.975156][ T11] ? check_panic_on_warn+0x1f/0xb0
[ 129.975953][ T11] ? ref_tracker_dir_exit+0x3e3/0x680
[ 129.976587][ T11] check_panic_on_warn+0xab/0xb0
[ 129.977215][ T11] __warn+0xf2/0x390
[ 129.977858][ T11] ? ref_tracker_dir_exit+0x3e3/0x680
[ 129.978453][ T11] report_bug+0x3b9/0x580
[ 129.978978][ T11] handle_bug+0x67/0x90
[ 129.979605][ T11] exc_invalid_op+0x17/0x40
[ 129.980166][ T11] asm_exc_invalid_op+0x1a/0x20
[ 129.980774][ T11] RIP: 0010:ref_tracker_dir_exit+0x3e3/0x680
[ 129.981516][ T11] Code: 0d 02 00 00 4d 39 f5 49 8b 06 4d 89 f7 0f
85 0e ff ff ff 48 8b 2c 24 e8 2b c1 f6 fc 48 8b 74 24 18 4
[ 129.983639][ T11] RSP: 0018:ffffc90000107b78 EFLAGS: 00010286
[ 129.984314][ T11] RAX: 0000000080000000 RBX: dffffc0000000000
RCX: 0000000000000000
[ 129.985461][ T11] RDX: 0000000000000001 RSI: ffffffff8accbc20
RDI: 0000000000000001
[ 129.986696][ T11] RBP: ffff8880245d9fe0 R08: 0000000000000001
R09: fffffbfff24241e9
[ 129.987706][ T11] R10: ffffffff92120f4f R11: 0000000000000003
R12: ffff8880245da030
[ 129.988714][ T11] R13: ffff8880245da030 R14: ffff8880245da030
R15: ffff8880245da030
[ 129.989901][ T11] ? ref_tracker_dir_exit+0x3e2/0x680
[ 129.990759][ T11] ? ref_tracker_dir_snprint+0xd0/0xd0
[ 129.991536][ T11] ? __kmem_cache_free+0xc0/0x180
[ 129.992132][ T11] cleanup_net+0x8d4/0xb20
[ 129.992693][ T11] ? unregister_pernet_device+0x80/0x80
[ 129.993368][ T11] process_one_work+0x886/0x15d0
[ 129.994278][ T11] ? unregister_pernet_device+0x80/0x80
[ 129.994897][ T11] ? workqueue_congested+0x300/0x300
[ 129.995533][ T11] ? assign_work+0x19c/0x240
[ 129.996118][ T11] worker_thread+0x8b9/0x1290
[ 129.996913][ T11] ? process_one_work+0x15d0/0x15d0
[ 129.997521][ T11] kthread+0x2c6/0x3a0
[ 129.997989][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 129.998664][ T11] ? kthread_complete_and_exit+0x40/0x40
[ 129.999378][ T11] ret_from_fork+0x45/0x80
[ 129.999981][ T11] ? kthread_complete_and_exit+0x40/0x40
[ 130.000580][ T11] ret_from_fork_asm+0x11/0x20
[ 130.001142][ T11] </TASK>
[ 130.001751][ T11] Kernel Offset: disabled
[ 130.002231][ T11] Rebooting in 86400 seconds..
I am willing to help you and tell me what commit or branch should I
test for your patch.
Thanks.
Eric Dumazet <edumazet@google.com> 于2023年11月30日周四 17:39写道:
>
> On Thu, Nov 30, 2023 at 9:46 AM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Thu, Nov 30, 2023 at 9:42 AM xingwei lee <xrivendell7@gmail.com> wrote:
> > >
> > > Hello
> > > I reproduced this bug with repro.txt and repro.c
> > >
> > >
> >
> >
> > Is your syzbot instance ready to accept patches for testing ?
> >
> > Otherwise, a repro which happens to work 'by luck' might not work for me.
> >
> > The bug here is a race condition with rds subsystem being dismantled
> > at netns dismantle, the 'repro' could be anything really.
>
> Can you test the following patch ?
> Thanks.
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index fef349dd72fa735b5915fc03e29cbb155b2aff2c..36d2871ac24f383e4e5d1af1168000f076011aae
> 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2197,8 +2197,6 @@ static void __sk_destruct(struct rcu_head *head)
>
> if (likely(sk->sk_net_refcnt))
> put_net_track(sock_net(sk), &sk->ns_tracker);
> - else
> - __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
>
> sk_prot_free(sk->sk_prot_creator, sk);
> }
> @@ -2212,6 +2210,9 @@ void sk_destruct(struct sock *sk)
> use_call_rcu = true;
> }
>
> + if (unlikely(!sk->sk_net_refcnt))
> + __netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
> +
> if (use_call_rcu)
> call_rcu(&sk->sk_rcu, __sk_destruct);
> else
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2024-04-07 11:08 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-30 8:30 [syzbot] [net?] WARNING in cleanup_net (3) syzbot
2024-04-05 3:00 ` syzbot
2024-04-05 6:37 ` Hillf Danton
2024-04-06 15:20 ` syzbot
2024-04-05 21:22 ` Eric Dumazet
2024-04-06 22:48 ` Hillf Danton
2024-04-07 3:20 ` syzbot
2024-04-07 10:33 ` Hillf Danton
2024-04-07 11:08 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2023-11-30 8:42 xingwei lee
2023-11-30 8:46 ` Eric Dumazet
2023-11-30 9:38 ` Eric Dumazet
2023-12-01 0:39 ` xingwei lee
[not found] ` <20231201111253.1029-1-hdanton@sina.com>
2023-12-01 12:52 ` Eric Dumazet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox