* [syzbot] [net?] WARNING in xfrm_state_fini (3)
@ 2025-07-29 7:08 syzbot
2025-07-29 11:01 ` Steffen Klassert
2025-08-01 0:54 ` syzbot
0 siblings, 2 replies; 7+ messages in thread
From: syzbot @ 2025-07-29 7:08 UTC (permalink / raw)
To: davem, edumazet, herbert, horms, kuba, linux-kernel, netdev,
pabeni, steffen.klassert, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 038d61fd6422 Linux 6.16
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
Call Trace:
<TASK>
xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
ops_exit_list net/core/net_namespace.c:200 [inline]
ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-07-29 7:08 [syzbot] [net?] WARNING in xfrm_state_fini (3) syzbot
@ 2025-07-29 11:01 ` Steffen Klassert
2025-07-29 11:09 ` Sabrina Dubroca
2025-08-01 0:54 ` syzbot
1 sibling, 1 reply; 7+ messages in thread
From: Steffen Klassert @ 2025-07-29 11:01 UTC (permalink / raw)
To: syzbot, Sabrina Dubroca
Cc: davem, edumazet, herbert, horms, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs
On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 038d61fd6422 Linux 6.16
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
> dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> Modules linked in:
> CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> Workqueue: netns cleanup_net
> RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
> RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
> RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
> RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
> RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
> R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
> R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
> ops_exit_list net/core/net_namespace.c:200 [inline]
> ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
> cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
> process_one_work kernel/workqueue.c:3238 [inline]
> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
> kthread+0x711/0x8a0 kernel/kthread.c:464
> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
At least reverting them make it go away. Can you please look
into this?
Please note that
CONFIG_INET_DIAG_DESTROY=y
has to be set to trigger the warining.
Thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-07-29 11:01 ` Steffen Klassert
@ 2025-07-29 11:09 ` Sabrina Dubroca
2025-07-29 18:47 ` syzbot
2025-08-28 11:06 ` Tetsuo Handa
0 siblings, 2 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2025-07-29 11:09 UTC (permalink / raw)
To: Steffen Klassert
Cc: syzbot, davem, edumazet, herbert, horms, kuba, linux-kernel,
netdev, pabeni, syzkaller-bugs
Hi Steffen,
2025-07-29, 13:01:22 +0200, Steffen Klassert wrote:
> On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 038d61fd6422 Linux 6.16
> > git tree: upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
> > dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
> > compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> > Workqueue: netns cleanup_net
> > RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> > Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
> > RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
> > RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
> > RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
> > RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
> > R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
> > R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
> > FS: 0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
> > Call Trace:
> > <TASK>
> > xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
> > ops_exit_list net/core/net_namespace.c:200 [inline]
> > ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
> > cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
> > process_one_work kernel/workqueue.c:3238 [inline]
> > process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
> > worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
> > kthread+0x711/0x8a0 kernel/kthread.c:464
> > ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
> > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > </TASK>
>
> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
> At least reverting them make it go away. Can you please look
> into this?
I haven't looked at the other reports yet, but this one seems to be a
stupid mistake in my revert patch. With these changes, the syzbot
repro stops splatting here:
#syz test
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 5120a763da0d..0a0eeaed0591 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 97ff756191ba..5f1da305eea8 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3278,7 +3278,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
Sabrina
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-07-29 11:09 ` Sabrina Dubroca
@ 2025-07-29 18:47 ` syzbot
2025-08-28 11:06 ` Tetsuo Handa
1 sibling, 0 replies; 7+ messages in thread
From: syzbot @ 2025-07-29 18:47 UTC (permalink / raw)
To: davem, edumazet, herbert, horms, kuba, linux-kernel, netdev,
pabeni, sd, steffen.klassert, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Tested-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Tested on:
commit: 86aa7218 Merge tag 'chrome-platform-v6.17' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16eb74a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6aef71a615d0cdf2
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=14b29782580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-07-29 7:08 [syzbot] [net?] WARNING in xfrm_state_fini (3) syzbot
2025-07-29 11:01 ` Steffen Klassert
@ 2025-08-01 0:54 ` syzbot
1 sibling, 0 replies; 7+ messages in thread
From: syzbot @ 2025-08-01 0:54 UTC (permalink / raw)
To: davem, dsahern, edumazet, hdanton, herbert, horms, kuba,
linux-kernel, netdev, pabeni, sd, steffen.klassert,
syzkaller-bugs
syzbot has bisected this issue to:
commit 2a198bbec6913ae1c90ec963750003c6213668c7
Author: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri Jul 4 14:54:34 2025 +0000
Revert "xfrm: destroy xfrm_state synchronously on net exit path"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1714d2a2580000
start commit: 038d61fd6422 Linux 6.16
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1494d2a2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1094d2a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Fixes: 2a198bbec691 ("Revert "xfrm: destroy xfrm_state synchronously on net exit path"")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-07-29 11:09 ` Sabrina Dubroca
2025-07-29 18:47 ` syzbot
@ 2025-08-28 11:06 ` Tetsuo Handa
2025-08-29 8:57 ` Sabrina Dubroca
1 sibling, 1 reply; 7+ messages in thread
From: Tetsuo Handa @ 2025-08-28 11:06 UTC (permalink / raw)
To: Sabrina Dubroca, Steffen Klassert
Cc: syzbot, davem, edumazet, herbert, horms, kuba, linux-kernel,
netdev, pabeni, syzkaller-bugs
syzbot is still hitting this problem. Please check.
On 2025/07/29 20:09, Sabrina Dubroca wrote:
>> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
>> At least reverting them make it go away. Can you please look
>> into this?
>
> I haven't looked at the other reports yet, but this one seems to be a
> stupid mistake in my revert patch. With these changes, the syzbot
> repro stops splatting here:
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)
2025-08-28 11:06 ` Tetsuo Handa
@ 2025-08-29 8:57 ` Sabrina Dubroca
0 siblings, 0 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2025-08-29 8:57 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Steffen Klassert, syzbot, davem, edumazet, herbert, horms, kuba,
linux-kernel, netdev, pabeni, syzkaller-bugs
2025-08-28, 20:06:29 +0900, Tetsuo Handa wrote:
> syzbot is still hitting this problem. Please check.
Thanks for the ping.
syzbot has found 2 different bugs that need separate fixes (but with
the same symptoms, hitting that WARNING, and coming from the same
patch series). I fixed one (syzbot confirmed the fix), I'm working on
the other one now.
> On 2025/07/29 20:09, Sabrina Dubroca wrote:
> >> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
> >> At least reverting them make it go away. Can you please look
> >> into this?
> >
> > I haven't looked at the other reports yet, but this one seems to be a
> > stupid mistake in my revert patch. With these changes, the syzbot
> > repro stops splatting here:
--
Sabrina
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-08-29 8:57 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-29 7:08 [syzbot] [net?] WARNING in xfrm_state_fini (3) syzbot
2025-07-29 11:01 ` Steffen Klassert
2025-07-29 11:09 ` Sabrina Dubroca
2025-07-29 18:47 ` syzbot
2025-08-28 11:06 ` Tetsuo Handa
2025-08-29 8:57 ` Sabrina Dubroca
2025-08-01 0:54 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).