[syzbot] [net?] WARNING in nsim_udp_tunnel_set

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [net?] WARNING in nsim_udp_tunnel_set_port
@ 2025-01-15 14:42 syzbot
  0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2025-01-15 14:42 UTC (permalink / raw)
  To: andrew+netdev, davem, edumazet, kuba, linux-kernel, netdev,
	pabeni, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    63676eefb7a0 Merge tag 'sched_ext-for-6.13-rc5-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1336e418580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=86dd15278dbfe19f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e5de9e3ab986b71d2bf
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17cfb1c4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ac4edf980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ba5dd9f6cf65/disk-63676eef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/290bc4e6d798/vmlinux-63676eef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/561f22e07925/bzImage-63676eef.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e5de9e3ab986b71d2bf@syzkaller.appspotmail.com

------------[ cut here ]------------
entry already in use
WARNING: CPU: 1 PID: 5869 at drivers/net/netdevsim/udp_tunnels.c:26 nsim_udp_tunnel_set_port+0x2d3/0x390 drivers/net/netdevsim/udp_tunnels.c:26
Modules linked in:
CPU: 1 UID: 0 PID: 5869 Comm: syz-executor227 Not tainted 6.13.0-rc5-syzkaller-00161-g63676eefb7a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:nsim_udp_tunnel_set_port+0x2d3/0x390 drivers/net/netdevsim/udp_tunnels.c:26
Code: c3 cc cc cc cc e8 dd a0 ca fa 44 89 f7 e8 85 38 b8 fa e9 ee fd ff ff e8 cb a0 ca fa 90 48 c7 c7 e0 7f 0a 8c e8 fe 66 8b fa 90 <0f> 0b 90 90 4c 8d 73 04 41 bf f0 ff ff ff e9 fa fe ff ff e8 c5 10
RSP: 0018:ffffc90003fffab8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffc90003fffbb0 RCX: ffffffff815a1789
RDX: ffff8880301d5a00 RSI: ffffffff815a1796 RDI: 0000000000000001
RBP: ffff8880744cc000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000017c10002 R15: 0000000000000000
FS:  0000555579af3380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5ac84532b0 CR3: 000000001decc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 udp_tunnel_nic_device_sync_one net/ipv4/udp_tunnel_nic.c:225 [inline]
 udp_tunnel_nic_device_sync_by_port net/ipv4/udp_tunnel_nic.c:246 [inline]
 __udp_tunnel_nic_device_sync.part.0+0x935/0xed0 net/ipv4/udp_tunnel_nic.c:289
 __udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:283 [inline]
 __udp_tunnel_nic_reset_ntf+0x3c1/0x520 net/ipv4/udp_tunnel_nic.c:581
 udp_tunnel_nic_reset_ntf include/net/udp_tunnel.h:377 [inline]
 nsim_udp_tunnels_info_reset_write+0xc2/0x110 drivers/net/netdevsim/udp_tunnels.c:117
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5ac83d0df9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc834f88c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5ac83d0df9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007f5ac841e1fa R09: 00007f5ac841e1fa
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ac841e453
R13: 0000000000000001 R14: 00007ffc834f8900 R15: 0000000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] [net?] WARNING in nsim_udp_tunnel_set_port
       [not found] <20250122085643.278fdac3@kernel.org>
@ 2025-01-22 17:11 ` syzbot
  0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2025-01-22 17:11 UTC (permalink / raw)
  To: kuba, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in nsim_udp_tunnel_set_port

------------[ cut here ]------------
entry already in use
WARNING: CPU: 0 PID: 6740 at drivers/net/netdevsim/udp_tunnels.c:26 nsim_udp_tunnel_set_port+0x2d3/0x390 drivers/net/netdevsim/udp_tunnels.c:26
Modules linked in:
CPU: 0 UID: 0 PID: 6740 Comm: syz.2.25 Not tainted 6.13.0-rc7-syzkaller-gcf33d96f5090 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:nsim_udp_tunnel_set_port+0x2d3/0x390 drivers/net/netdevsim/udp_tunnels.c:26
Code: c3 cc cc cc cc e8 dd ed c9 fa 44 89 f7 e8 95 88 b7 fa e9 ee fd ff ff e8 cb ed c9 fa 90 48 c7 c7 80 96 2a 8c e8 ae b5 8a fa 90 <0f> 0b 90 90 4c 8d 73 04 41 bf f0 ff ff ff e9 fa fe ff ff e8 15 5e
RSP: 0018:ffffc90003117ab8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffc90003117bb0 RCX: ffffffff815a17c9
RDX: ffff8880273a9e00 RSI: ffffffff815a17d6 RDI: 0000000000000001
RBP: ffff88802508c000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000017c10002 R15: 0000000000000000
FS:  00007fd6e91046c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70aa746d38 CR3: 000000003328e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 udp_tunnel_nic_device_sync_one net/ipv4/udp_tunnel_nic.c:225 [inline]
 udp_tunnel_nic_device_sync_by_port net/ipv4/udp_tunnel_nic.c:246 [inline]
 __udp_tunnel_nic_device_sync.part.0+0x935/0xed0 net/ipv4/udp_tunnel_nic.c:289
 __udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:283 [inline]
 __udp_tunnel_nic_reset_ntf+0x3c1/0x520 net/ipv4/udp_tunnel_nic.c:581
 udp_tunnel_nic_reset_ntf include/net/udp_tunnel.h:377 [inline]
 nsim_udp_tunnels_info_reset_write+0xc2/0x110 drivers/net/netdevsim/udp_tunnels.c:117
 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd6e8385d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd6e9104038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fd6e8575fa0 RCX: 00007fd6e8385d29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fd6e8401b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd6e8575fa0 R15: 00007ffd899920e8
 </TASK>


Tested on:

commit:         cf33d96f Merge git://git.kernel.org/pub/scm/linux/kern..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=142f3618580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3eff53fbe4c843d4
dashboard link: https://syzkaller.appspot.com/bug?extid=2e5de9e3ab986b71d2bf
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] [net?] WARNING in nsim_udp_tunnel_set_port
       [not found] <20250122091734.04e3a87f@kernel.org>
@ 2025-01-22 17:56 ` syzbot
  0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2025-01-22 17:56 UTC (permalink / raw)
  To: kuba, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in nsim_udp_tunnels_info_reset_write

==================================================================
BUG: KASAN: slab-use-after-free in nsim_udp_tunnels_info_reset_write+0xf8/0x110 drivers/net/netdevsim/udp_tunnels.c:116
Read of size 8 at addr ffff88805b9f94d8 by task syz.0.4728/17081

CPU: 0 UID: 0 PID: 17081 Comm: syz.0.4728 Not tainted 6.13.0-syzkaller-gc4b9570cfb63-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 nsim_udp_tunnels_info_reset_write+0xf8/0x110 drivers/net/netdevsim/udp_tunnels.c:116
 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc7e585d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbc7f41d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbc7e775fa0 RCX: 00007fbc7e585d29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fbc7e601b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fbc7e775fa0 R15: 00007fff9f7d4048
 </TASK>

Allocated by task 11942:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4298 [inline]
 __kmalloc_node_noprof+0x21f/0x520 mm/slub.c:4304
 __kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:645
 alloc_netdev_mqs+0xc9/0x1320 net/core/dev.c:11228
 nsim_create+0x98/0xb20 drivers/net/netdevsim/netdev.c:777
 __nsim_dev_port_add+0x3bf/0x700 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1449 [inline]
 nsim_drv_probe+0xdbf/0x1490 drivers/net/netdevsim/dev.c:1607
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
 device_add+0x114b/0x1a70 drivers/base/core.c:3665
 nsim_bus_dev_new drivers/net/netdevsim/bus.c:442 [inline]
 new_device_store+0x41d/0x730 drivers/net/netdevsim/bus.c:173
 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172
 sysfs_kf_write+0x117/0x170 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x33d/0x500 fs/kernfs/file.c:334
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x5ae/0x1150 fs/read_write.c:679
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 3526:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 kvfree+0x47/0x50 mm/util.c:688
 device_release+0xa1/0x240 drivers/base/core.c:2567
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e4/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3773
 free_netdev+0x4f1/0x6c0 net/core/dev.c:11397
 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline]
 nsim_dev_reload_destroy+0x108/0x4d0 drivers/net/netdevsim/dev.c:1661
 nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:968
 devlink_reload+0x17f/0x760 net/devlink/dev.c:461
 devlink_pernet_pre_exit+0x1a1/0x2b0 net/devlink/core.c:509
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x488/0xbd0 net/core/net_namespace.c:628
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88805b9f8000
 which belongs to the cache kmalloc-cg-8k of size 8192
The buggy address is located 5336 bytes inside of
 freed 8192-byte region [ffff88805b9f8000, ffff88805b9fa000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5b9f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8880296446c1
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b04f640 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000001f5000000 ffff8880296446c1
head: 00fff00000000040 ffff88801b04f640 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000001f5000000 ffff8880296446c1
head: 00fff00000000003 ffffea00016e7e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 11942, tgid 11942 (syz-executor), ts 192560619734, free_ts 192552404020
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x221/0x2470 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xbcd/0x1590 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_node_noprof+0x2f0/0x520 mm/slub.c:4304
 __kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:645
 alloc_netdev_mqs+0xc9/0x1320 net/core/dev.c:11228
 nsim_create+0x98/0xb20 drivers/net/netdevsim/netdev.c:777
 __nsim_dev_port_add+0x3bf/0x700 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1449 [inline]
 nsim_drv_probe+0xdbf/0x1490 drivers/net/netdevsim/dev.c:1607
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
page last free pid 11942 tgid 11942 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_kmalloc+0x8a/0xb0 mm/kasan/common.c:385
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 ref_tracker_alloc+0x17c/0x5b0 lib/ref_tracker.c:203
 __netdev_tracker_alloc include/linux/netdevice.h:4136 [inline]
 netdev_hold include/linux/netdevice.h:4165 [inline]
 netdev_hold include/linux/netdevice.h:4160 [inline]
 register_netdevice+0x164b/0x1e20 net/core/dev.c:10638
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:733 [inline]
 nsim_create+0x740/0xb20 drivers/net/netdevsim/netdev.c:793
 __nsim_dev_port_add+0x3bf/0x700 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1449 [inline]
 nsim_drv_probe+0xdbf/0x1490 drivers/net/netdevsim/dev.c:1607
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030

Memory state around the buggy address:
 ffff88805b9f9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805b9f9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805b9f9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88805b9f9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805b9f9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         c4b9570c Merge tag 'audit-pr-20250121' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1404cab0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c857c6065c39b1e2
dashboard link: https://syzkaller.appspot.com/bug?extid=2e5de9e3ab986b71d2bf
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13c71824580000


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] [net?] WARNING in nsim_udp_tunnel_set_port
       [not found] <20250122132428.170b674d@kernel.org>
@ 2025-01-22 21:41 ` syzbot
  0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2025-01-22 21:41 UTC (permalink / raw)
  To: kuba, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in reg_process_self_managed_hints

INFO: task kworker/0:0:8 blocked for more than 143 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:0     state:D stack:23184 pid:8     tgid:8     ppid:2      flags:0x00004000
Workqueue: events reg_todo
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
 reg_process_self_managed_hints+0x95/0x1f0 net/wireless/reg.c:3206
 reg_todo+0x684/0x910 net/wireless/reg.c:3219
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task kworker/u8:1:12 blocked for more than 143 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:1    state:D stack:22400 pid:12    tgid:12    ppid:2      flags:0x00004000
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 rtnl_acquire_if_cleanup_net net/core/dev.c:10272 [inline]
 unregister_netdevice_many_notify+0x1a51/0x21a0 net/core/dev.c:11792
 unregister_netdevice_many net/core/dev.c:11875 [inline]
 unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11741
 unregister_netdevice include/linux/netdevice.h:3329 [inline]
 _cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1251
 ieee80211_remove_interfaces+0x34f/0x720 net/mac80211/iface.c:2305
 ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
 mac80211_hwsim_del_radio+0x268/0x370 drivers/net/wireless/virtual/mac80211_hwsim.c:5664
 hwsim_exit_net+0x33f/0x6d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6544
 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:172
 cleanup_net+0x5c6/0xbf0 net/core/net_namespace.c:652
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task kworker/u8:3:52 blocked for more than 144 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:3    state:D stack:24448 pid:52    tgid:52    ppid:2      flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 linkwatch_event+0x51/0xc0 net/core/link_watch.c:285
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task kworker/u8:7:4539 blocked for more than 144 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7    state:D stack:22480 pid:4539  tgid:4539  ppid:2      flags:0x00004000
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 rtnl_net_lock include/linux/rtnetlink.h:129 [inline]
 addrconf_dad_work+0x121/0x14e0 net/ipv6/addrconf.c:4190
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task syz-executor:6486 blocked for more than 144 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:24416 pid:6486  tgid:6486  ppid:6483   flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 rtnl_lock net/core/rtnetlink.c:79 [inline]
 rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
 rtnl_newlink+0x5e4/0x1d70 net/core/rtnetlink.c:4020
 rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6911
 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2543
 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
 netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348
 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:713 [inline]
 __sock_sendmsg net/socket.c:728 [inline]
 __sys_sendto+0x488/0x4f0 net/socket.c:2182
 __do_sys_sendto net/socket.c:2189 [inline]
 __se_sys_sendto net/socket.c:2185 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2185
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f11c0787b63
RSP: 002b:00007fffb998ac68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f11c14a4620 RCX: 00007f11c0787b63
RDX: 0000000000000068 RSI: 00007f11c14a4670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007fffb998ac84 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f11c14a4670 R15: 0000000000000000
 </TASK>
INFO: task syz-executor:6527 blocked for more than 144 seconds.
      Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:26712 pid:6527  tgid:6527  ppid:6467   flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5373 [inline]
 __schedule+0x1142/0x5b60 kernel/sched/core.c:6760
 __schedule_loop kernel/sched/core.c:6837 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6852
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6909
 __mutex_lock_common kernel/locking/mutex.c:662 [inline]
 __mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
 register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3878
 ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
 setup_net+0x21f/0x860 net/core/net_namespace.c:362
 copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x45d/0xa40 kernel/fork.c:3330
 __do_sys_unshare kernel/fork.c:3401 [inline]
 __se_sys_unshare kernel/fork.c:3399 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:3399
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd83987527
RSP: 002b:00007ffd7d056878 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcd83987527
RDX: 00007fcd83985d29 RSI: 00007ffd7d056840 RDI: 0000000040000000
RBP: 0000000000000000 R08: 00007fcd83b3a9d0 R09: 00007fcd83b3a9d0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7d0568e0
R13: 00007ffd7d0568e8 R14: 0000000000000009 R15: 0000000000000000
 </TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:234 [inline]
 watchdog+0xf14/0x1240 kernel/hung_task.c:397
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6467 Comm: syz-executor Not tainted 6.13.0-syzkaller-g7004a2e46d16-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:entry_SYSCALL_64_after_hwframe+0x58/0x7f
Code: ed 45 31 e4 45 31 ed 45 31 f6 45 31 ff 48 89 e7 48 63 f0 66 90 b9 48 00 00 00 65 48 8b 15 57 7a c2 74 89 d0 48 c1 ea 20 0f 30 <90> 0f 1f 44 00 00 eb 0d cc cc cc cc cc cc cc cc cc cc cc cc cc e8
RSP: 0018:ffffc90003637f58 EFLAGS: 00000046
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000048
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003637f58
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  000055555b584500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d971876600 CR3: 0000000060c72000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:


Tested on:

commit:         7004a2e4 Merge tag 'linux_kselftest-nolibc-6.14-rc1' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1711cab0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5d506ed4ac7a7a13
dashboard link: https://syzkaller.appspot.com/bug?extid=2e5de9e3ab986b71d2bf
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=141dc9f8580000


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-01-22 21:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20250122091734.04e3a87f@kernel.org>
2025-01-22 17:56 ` [syzbot] [net?] WARNING in nsim_udp_tunnel_set_port syzbot
     [not found] <20250122132428.170b674d@kernel.org>
2025-01-22 21:41 ` syzbot
     [not found] <20250122085643.278fdac3@kernel.org>
2025-01-22 17:11 ` syzbot
2025-01-15 14:42 syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox