syzbot


INFO: task hung in tcf_ife_init

Status: fixed on 2020/10/10 01:52
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+80e32b5d1f9923f8ace6@syzkaller.appspotmail.com
Fix commit: cc8e58f8325c act_ife: load meta modules before tcf_idr_check_alloc()
First crash: 1499d, last: 1494d
Cause bisection: introduced by (bisect log) :
commit 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2
Author: Vlad Buslov <vladbu@mellanox.com>
Date: Thu Jul 5 14:24:30 2018 +0000

  net: sched: don't release reference on action overwrite

Crash: KASAN: use-after-free Read in __tcf_action_put (log)
Repro: C syz .config
  
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.8 00/56] 5.8.12-rc1 review 65 (65) 2020/09/26 16:10
[PATCH 5.4 00/43] 5.4.68-rc1 review 47 (47) 2020/09/26 15:43
[Patch net] act_ife: load meta modules before tcf_idr_check_alloc() 4 (4) 2020/09/07 12:13
INFO: task hung in tcf_ife_init 3 (5) 2020/09/03 18:11
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 INFO: task hung in tcf_ife_init C error 10 805d 1499d 0/1 upstream: reported C repro on 2020/09/03 06:16
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/09/03 18:49 17m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK

Sample crash report:
INFO: task syz-executor791:6844 blocked for more than 143 seconds.
      Not tainted 5.9.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor791 state:D stack:25032 pid: 6844 ppid:  6842 flags:0x00004004
Call Trace:
 context_switch kernel/sched/core.c:3778 [inline]
 __schedule+0xea9/0x2230 kernel/sched/core.c:4527
 schedule+0xd0/0x2a0 kernel/sched/core.c:4602
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661
 __mutex_lock_common kernel/locking/mutex.c:1033 [inline]
 __mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103
 load_metaops_and_vet net/sched/act_ife.c:277 [inline]
 populate_metalist net/sched/act_ife.c:452 [inline]
 tcf_ife_init+0x11a4/0x16f0 net/sched/act_ife.c:578
 tcf_action_init_1+0x6a5/0xac0 net/sched/act_api.c:984
 tcf_action_init+0x249/0x380 net/sched/act_api.c:1043
 tcf_action_add+0xd9/0x360 net/sched/act_api.c:1451
 tc_ctl_action+0x33a/0x439 net/sched/act_api.c:1504
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4471d9
Code: Bad RIP value.
RSP: 002b:00007f796a6d1db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 00000000004471d9
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000246 R12: 00000000006dcc2c
R13: 00007ffcf477b02f R14: 00007f796a6d29c0 R15: 20c49ba5e353f7cf

Showing all locks held in the system:
1 lock held by khungtaskd/1168:
 #0: ffffffff89bd6a40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:5829
3 locks held by kworker/0:2/2626:
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline]
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
 #0: ffff888214917138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x82b/0x1670 kernel/workqueue.c:2240
 #1: ffffc90006897da8 ((addr_chk_work).work){+.+.}-{0:0}, at: process_one_work+0x85f/0x1670 kernel/workqueue.c:2244
 #2: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0xa/0x20 net/ipv6/addrconf.c:4568
1 lock held by in:imklog/6733:
 #0: ffff8880a2072670 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:930
1 lock held by syz-executor791/6844:
 #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: load_metaops_and_vet net/sched/act_ife.c:277 [inline]
 #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: populate_metalist net/sched/act_ife.c:452 [inline]
 #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: tcf_ife_init+0x11a4/0x16f0 net/sched/act_ife.c:578
1 lock held by syz-executor791/6846:

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1168 Comm: khungtaskd Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x1b3/0x223 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline]
 watchdog+0xd7d/0x1000 kernel/hung_task.c:295
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 6846 Comm: syz-executor791 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:lock_release+0x4b8/0x8f0 kernel/locking/lockdep.c:5014
Code: d2 5b 08 00 0f 84 ac 01 00 00 48 8b 3c 24 57 9d 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 01 c5 48 c7 45 00 00 00 00 00 <c7> 45 08 00 00 00 00 48 8b 84 24 88 00 00 00 65 48 2b 04 25 28 00
RSP: 0018:ffffc900013c6ce8 EFLAGS: 00000286
RAX: dffffc0000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffff88809a063668 RDI: 0000000000000282
RBP: fffff52000278d9f R08: 0000000000000001 R09: ffff8880a19e4be0
R10: fffffbfff1564d71 R11: 0000000000000001 R12: ffff8880a19e4300
R13: 0000000000000001 R14: ffffffff865b709e R15: ffff8880a19e4300
FS:  00007f796a6b1700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92e6066ab4 CR3: 00000000a15a2000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __mutex_unlock_slowpath+0x81/0x610 kernel/locking/mutex.c:1228
 tcf_idr_check_alloc+0x29e/0x3b0 net/sched/act_api.c:515
 tcf_ife_init+0x3b1/0x16f0 net/sched/act_ife.c:513
 tcf_action_init_1+0x6a5/0xac0 net/sched/act_api.c:984
 tcf_action_init+0x249/0x380 net/sched/act_api.c:1043
 tcf_action_add+0xd9/0x360 net/sched/act_api.c:1451
 tc_ctl_action+0x33a/0x439 net/sched/act_api.c:1504
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4471d9
Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f796a6b0db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471d9
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000004
RBP: 00000000006dcc30 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00000000006dcc3c
R13: 00007ffcf477b02f R14: 00007f796a6b19c0 R15: 20c49ba5e353f7cf

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/07 21:57 upstream f4d51dffc6c0 abf9ba4f .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/09/06 08:58 upstream 9322c47b21b9 abf9ba4f .config console log report syz C ci-upstream-kasan-gce-root
2020/09/03 05:53 net-old 1996cf46e467 abf9ba4f .config console log report syz C ci-upstream-net-this-kasan-gce
2020/09/03 08:35 net-next-old d3dfc362e073 abf9ba4f .config console log report syz C ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.