From: Ido Schimmel <idosch@idosch.org>
To: syzbot <syzbot+d810d3cd45ed1848c3f7@syzkaller.appspotmail.com>,
vladbu@nvidia.com
Cc: ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net,
davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
hawk@kernel.org, idosch@nvidia.com, jasowang@redhat.com,
john.fastabend@gmail.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
vladbu@nvidia.com, willemdebruijn.kernel@gmail.com
Subject: Re: [syzbot] [net?] WARNING in ip6_tnl_exit_batch_net
Date: Fri, 11 Aug 2023 18:03:15 +0300 [thread overview]
Message-ID: <ZNZNs3I20BK7/kmp@shredder> (raw)
In-Reply-To: <0000000000009f0f9c0602a616ce@google.com>
On Fri, Aug 11, 2023 at 06:57:07AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 048c796beb6e ipv6: adjust ndisc_is_useropt() to also retur..
> git tree: net
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=103213a5a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=fa5bd4cd5ab6259d
> dashboard link: https://syzkaller.appspot.com/bug?extid=d810d3cd45ed1848c3f7
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1475a873a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153cc91ba80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/bf6b84b5998f/disk-048c796b.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4000dee89ebe/vmlinux-048c796b.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b700ee9bd306/bzImage-048c796b.xz
>
> The issue was bisected to:
>
> commit 718cb09aaa6fa78cc8124e9517efbc6c92665384
> Author: Vlad Buslov <vladbu@nvidia.com>
> Date: Tue Aug 8 09:35:21 2023 +0000
>
> vlan: Fix VLAN 0 memory leak
I wasn't able to reproduce using the C reproducer, but I'm pretty sure I
know what is the problem. I wasn't aware that user space can create VLAN
devices with VID 0, which can result in the VLAN driver wrongly deleting
it upon NETDEV_DOWN. Reproduced using:
ip link add name dummy1 up type dummy
ip link add link dummy1 name dummy1.0 type vlan id 0
ip link del dev dummy1
Always adding VID 0 on NETDEV_UP "solves" the problem, but it will
increase the memory consumption for each netdev, which is not ideal. A
possible solution is trying to delete VID 0 upon NETDEV_UNREGISTER
instead of only iterating over upper VLAN devices.
Anyway, Vlad, it's probably best to send a revert while we figure it
out.
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12cbf169a80000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=11cbf169a80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf169a80000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d810d3cd45ed1848c3f7@syzkaller.appspotmail.com
> Fixes: 718cb09aaa6f ("vlan: Fix VLAN 0 memory leak")
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 12 at net/core/dev.c:10876 unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876
> Modules linked in:
> CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.5.0-rc4-syzkaller-00248-g048c796beb6e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> Workqueue: netns cleanup_net
> RIP: 0010:unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876
> Code: b4 1a 00 00 48 c7 c6 e0 18 81 8b 48 c7 c7 20 19 81 8b c6 05 ab 19 6c 06 01 e8 b4 22 23 f9 0f 0b e9 64 f7 ff ff e8 68 60 5c f9 <0f> 0b e9 3b f7 ff ff e8 fc 68 b0 f9 e9 fc ec ff ff 4c 89 e7 e8 4f
> RSP: 0018:ffffc90000117a30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000070de5201 RCX: 0000000000000000
> RDX: ffff88801526d940 RSI: ffffffff8829a7b8 RDI: 0000000000000001
> RBP: ffff88807d7ee000 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000001 R11: ffffffff81004e11 R12: ffff888018fb2a00
> R13: 0000000000000000 R14: 0000000000000002 R15: ffff888018fb2a00
> FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005581d741a950 CR3: 000000007deef000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> ip6_tnl_exit_batch_net+0x57d/0x6f0 net/ipv6/ip6_tunnel.c:2278
> ops_exit_list+0x125/0x170 net/core/net_namespace.c:175
> cleanup_net+0x505/0xb20 net/core/net_namespace.c:614
> process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
> worker_thread+0x687/0x1110 kernel/workqueue.c:2748
> kthread+0x33a/0x430 kernel/kthread.c:389
> ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
> </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
next prev parent reply other threads:[~2023-08-11 15:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 13:57 [syzbot] [net?] WARNING in ip6_tnl_exit_batch_net syzbot
2023-08-11 15:03 ` Ido Schimmel [this message]
2023-08-11 15:06 ` Vlad Buslov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNZNs3I20BK7/kmp@shredder \
--to=idosch@idosch.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=idosch@nvidia.com \
--cc=jasowang@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+d810d3cd45ed1848c3f7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vladbu@nvidia.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).