* unregister_netdevice: waiting for DEV to become free (4) @ 2020-08-19 13:54 syzbot 2020-08-19 14:03 ` Dmitry Vyukov 2020-08-19 14:51 ` syzbot 0 siblings, 2 replies; 5+ messages in thread From: syzbot @ 2020-08-19 13:54 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000 kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0 compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15859986900000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com unregister_netdevice: waiting for lo to become free. Usage count = 1 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4) 2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot @ 2020-08-19 14:03 ` Dmitry Vyukov 2020-08-20 17:07 ` Andrii Nakryiko 2020-08-19 14:51 ` syzbot 1 sibling, 1 reply; 5+ messages in thread From: Dmitry Vyukov @ 2020-08-19 14:03 UTC (permalink / raw) To: syzbot; +Cc: LKML, syzkaller-bugs, bpf On Wed, Aug 19, 2020 at 3:54 PM syzbot <syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f > dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0 > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15859986900000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com > > unregister_netdevice: waiting for lo to become free. Usage count = 1 Based on the repro, it looks bpf/bpf link related: syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2], @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0, @wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900", "9384bbeb3018ad591b661fe808b21b77", {"694c875dfb1be5d2a0057a62022a1564", "a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000040)='cgroup2\x00', 0x0, 0x0) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, &(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6, 0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10) > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4) 2020-08-19 14:03 ` Dmitry Vyukov @ 2020-08-20 17:07 ` Andrii Nakryiko 2020-08-20 17:15 ` Dmitry Vyukov 0 siblings, 1 reply; 5+ messages in thread From: Andrii Nakryiko @ 2020-08-20 17:07 UTC (permalink / raw) To: Dmitry Vyukov; +Cc: syzbot, LKML, syzkaller-bugs, bpf On Wed, Aug 19, 2020 at 7:06 AM Dmitry Vyukov <dvyukov@google.com> wrote: > > On Wed, Aug 19, 2020 at 3:54 PM syzbot > <syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel... > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f > > dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0 > > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15859986900000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com > > > > unregister_netdevice: waiting for lo to become free. Usage count = 1 > > Based on the repro, it looks bpf/bpf link related: > > syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2], > @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0, > 0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0, > @wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900", > "9384bbeb3018ad591b661fe808b21b77", > {"694c875dfb1be5d2a0057a62022a1564", > "a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0) > mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) > mount(0x0, &(0x7f0000000080)='./file0\x00', > &(0x7f0000000040)='cgroup2\x00', 0x0, 0x0) > r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) > r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, > &(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6, > 0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [], > 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) > bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10) > The only place where BPF link-related code is bumping refcount for net_device is in bpf_xdp_link_attach(), but both success and failure code paths always do dev_put() in the end. bpf_link itself has a pointer on net_device, but it's protected by rtnl_lock() only, no refcnt associated with it. So I don't see how bpf_link can cause this. I also couldn't reproduce this locally, using the provided C reproducer. > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this issue, for details see: > > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4) 2020-08-20 17:07 ` Andrii Nakryiko @ 2020-08-20 17:15 ` Dmitry Vyukov 0 siblings, 0 replies; 5+ messages in thread From: Dmitry Vyukov @ 2020-08-20 17:15 UTC (permalink / raw) To: Andrii Nakryiko; +Cc: syzbot, LKML, syzkaller-bugs, bpf On Thu, Aug 20, 2020 at 7:07 PM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote: > > On Wed, Aug 19, 2020 at 3:54 PM syzbot > > <syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel... > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1710d97a900000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f > > > dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0 > > > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15859986900000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com > > > > > > unregister_netdevice: waiting for lo to become free. Usage count = 1 > > > > Based on the repro, it looks bpf/bpf link related: > > > > syz_emit_ethernet(0x86, &(0x7f0000000000)={@local, @empty=[0x2], > > @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0, > > 0x11, 0x0, @empty, @empty}, {0x0, 0x1b59, 0x64, 0x0, > > @wg=@response={0x5, 0x0, 0x0, "020000010865390406030500000000010900", > > "9384bbeb3018ad591b661fe808b21b77", > > {"694c875dfb1be5d2a0057a62022a1564", > > "a329d3a73b8268129e5fa4316a5d8c69"}}}}}}}, 0x0) > > mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) > > mount(0x0, &(0x7f0000000080)='./file0\x00', > > &(0x7f0000000040)='cgroup2\x00', 0x0, 0x0) > > r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) > > r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, > > &(0x7f0000000000)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6, > > 0x2, 0x1}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [], > > 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) > > bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r1, r0, 0x2}, 0x10) > > > > The only place where BPF link-related code is bumping refcount for > net_device is in bpf_xdp_link_attach(), but both success and failure > code paths always do dev_put() in the end. bpf_link itself has a > pointer on net_device, but it's protected by rtnl_lock() only, no > refcnt associated with it. So I don't see how bpf_link can cause this. > I also couldn't reproduce this locally, using the provided C > reproducer. I was able to reproduce this in qemu the first time. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (4) 2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot 2020-08-19 14:03 ` Dmitry Vyukov @ 2020-08-19 14:51 ` syzbot 1 sibling, 0 replies; 5+ messages in thread From: syzbot @ 2020-08-19 14:51 UTC (permalink / raw) To: ast, bpf, davem, dvyukov, linux-fsdevel, linux-kernel, mcgrof, syzkaller-bugs, viro syzbot has bisected this issue to: commit 449325b52b7a6208f65ed67d3484fd7b7184477b Author: Alexei Starovoitov <ast@kernel.org> Date: Tue May 22 02:22:29 2018 +0000 umh: introduce fork_usermode_blob() helper bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11f86186900000 start commit: 18445bf4 Merge tag 'spi-fix-v5.9-rc1' of git://git.kernel... git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=13f86186900000 console output: https://syzkaller.appspot.com/x/log.txt?x=15f86186900000 kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f dashboard link: https://syzkaller.appspot.com/bug?extid=df400f2f24a1677cd7e0 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15859986900000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228fea1900000 Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-20 17:15 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-19 13:54 unregister_netdevice: waiting for DEV to become free (4) syzbot 2020-08-19 14:03 ` Dmitry Vyukov 2020-08-20 17:07 ` Andrii Nakryiko 2020-08-20 17:15 ` Dmitry Vyukov 2020-08-19 14:51 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox