syzbot


BUG: sleeping function called from invalid context in htb_destroy

Status: fixed on 2021/04/22 11:27
Reported-by: syzbot+133797b60df119bcf35d@syzkaller.appspotmail.com
Fix commit: 66f6f4094ff2 net: sched: validate stab values
First crash: 1623d, last: 1101d
Fix bisection: fixed by (bisect log) :
commit 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Mar 10 16:26:41 2021 +0000

  net: sched: validate stab values

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: sleeping function called from invalid context in htb_destroy C inconclusive 3 1387d 1636d 0/1 upstream: reported C repro on 2019/10/05 07:11
Fix bisection attempts (19)
Created Duration User Patch Repo Result
2021/04/22 07:11 3h29m bisect fix linux-4.19.y job log (1)
2021/03/23 06:48 22m bisect fix linux-4.19.y job log (0) log
2021/02/21 06:26 22m bisect fix linux-4.19.y job log (0) log
2021/02/18 03:20 19m bisect fix linux-4.19.y error job log (0)
2021/02/05 08:34 1m bisect fix linux-4.19.y error job log (0)
2021/01/06 08:10 23m bisect fix linux-4.19.y job log (0) log
2020/12/07 07:29 28m bisect fix linux-4.19.y job log (0) log
2020/11/07 07:06 23m bisect fix linux-4.19.y job log (0) log
2020/10/08 06:41 24m bisect fix linux-4.19.y job log (0) log
2020/09/08 02:23 28m bisect fix linux-4.19.y job log (0) log
2020/08/09 01:58 25m bisect fix linux-4.19.y job log (0) log
2020/07/10 01:34 23m bisect fix linux-4.19.y job log (0) log
2020/06/10 01:10 24m bisect fix linux-4.19.y job log (0) log
2020/05/11 00:31 25m bisect fix linux-4.19.y job log (0) log
2020/04/11 00:07 24m bisect fix linux-4.19.y job log (0) log
2020/03/11 23:41 25m bisect fix linux-4.19.y job log (0) log
2020/02/10 20:31 23m bisect fix linux-4.19.y job log (0) log
2020/01/11 20:07 23m bisect fix linux-4.19.y job log (0) log
2019/12/12 18:07 24m bisect fix linux-4.19.y job log (0) log

Sample crash report:
audit: type=1400 audit(1571419496.237:36): avc:  denied  { map } for  pid=7625 comm="syz-executor335" path="/root/syz-executor335230362" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
BUG: sleeping function called from invalid context at kernel/workqueue.c:2856
in_atomic(): 1, irqs_disabled(): 0, pid: 7627, name: syz-executor335
2 locks held by syz-executor335/7627:
 #0: 000000005ec5a32d (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
 #0: 000000005ec5a32d (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00 net/core/rtnetlink.c:4744
 #1: 00000000e4aa4d53 (&qdisc_rx_lock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
 #1: 00000000e4aa4d53 (&qdisc_rx_lock){+...}, at: sch_tree_lock include/net/sch_generic.h:471 [inline]
 #1: 00000000e4aa4d53 (&qdisc_rx_lock){+...}, at: red_change+0x3b8/0x1150 net/sched/sch_red.c:230
Preemption disabled at:
[<ffffffff858492f8>] spin_lock_bh include/linux/spinlock.h:334 [inline]
[<ffffffff858492f8>] sch_tree_lock include/net/sch_generic.h:471 [inline]
[<ffffffff858492f8>] red_change+0x3b8/0x1150 net/sched/sch_red.c:230
CPU: 0 PID: 7627 Comm: syz-executor335 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 ___might_sleep.cold+0x1bd/0x1f6 kernel/sched/core.c:6191
 __might_sleep+0x95/0x190 kernel/sched/core.c:6144
 start_flush_work kernel/workqueue.c:2856 [inline]
 __flush_work+0x103/0x870 kernel/workqueue.c:2919
 __cancel_work_timer+0x3bf/0x520 kernel/workqueue.c:3007
 cancel_work_sync+0x18/0x20 kernel/workqueue.c:3043
 htb_destroy+0x26/0x4b0 net/sched/sch_htb.c:1241
 qdisc_destroy+0x195/0x690 net/sched/sch_generic.c:970
 red_change+0x55d/0x1150 net/sched/sch_red.c:236
 qdisc_change net/sched/sch_api.c:1239 [inline]
 tc_modify_qdisc+0xfc7/0x1bdc net/sched/sch_api.c:1542
 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
 netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446519
Code: e8 1c ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f53b8b24d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446519
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000006dbc6c
R13: 00000000004aeac4 R14: b35d2484a6425def R15: 10eb52a57aaf8377

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/18 17:28 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report syz C ci2-linux-4-19
2019/10/18 14:36 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report syz C ci2-linux-4-19
* Struck through repros no longer work on HEAD.