syzbot


suspicious RCU usage at ./include/linux/inetdevice.h:LINE

Status: public: reported C repro on 2019/04/14 08:51
Reported-by: syzbot+9e59647e850dd702e4e4@syzkaller.appspotmail.com
First crash: 2485d, last: 2485d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream suspicious RCU usage at ./include/linux/inetdevice.h:LINE (2) net C 4 2485d 2485d 4/28 fixed on 2018/02/04 23:45
upstream suspicious RCU usage at ./include/linux/inetdevice.h:LINE net 28 2568d 2576d 4/28 fixed on 2018/02/01 10:32

Sample crash report:
===============================
[ INFO: suspicious RCU usage. ]
4.9.79-g71f1469 #34 Not tainted
-------------------------------
./include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 0
3 locks held by sh/5615:
 #0:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff814c9dfb>] spin_lock include/linux/spinlock.h:302 [inline]
 #0:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff814c9dfb>] zap_pte_range mm/memory.c:1125 [inline]
 #0:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff814c9dfb>] zap_pmd_range mm/memory.c:1258 [inline]
 #0:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff814c9dfb>] zap_pud_range mm/memory.c:1279 [inline]
 #0:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff814c9dfb>] unmap_page_range+0x78b/0x1830 mm/memory.c:1300
 #1:  (((&im->timer))){+.-...}, at: [<ffffffff812a56c4>] lockdep_copy_map include/linux/lockdep.h:165 [inline]
 #1:  (((&im->timer))){+.-...}, at: [<ffffffff812a56c4>] call_timer_fn+0xe4/0x700 kernel/time/timer.c:1309
 #2:  (&(&im->lock)->rlock){+.-...}, at: [<ffffffff832fbe39>] spin_lock_bh include/linux/spinlock.h:307 [inline]
 #2:  (&(&im->lock)->rlock){+.-...}, at: [<ffffffff832fbe39>] igmpv3_send_report+0x39/0x480 net/ipv4/igmp.c:600

stack backtrace:
CPU: 0 PID: 5615 Comm: sh Not tainted 4.9.79-g71f1469 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801db207968 ffffffff81d94829 ffff8801bea79800 0000000000000000
 0000000000000002 ffffffff83f2fe60 00000000160000e0 ffff8801db207998
 ffffffff81238379 ffff8801d7876280 ffff8801d6219110 ffff8801c2f68000
Call Trace:
 <IRQ> [   28.783681]  [<ffffffff81d94829>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [   28.783681]  [<ffffffff81d94829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81238379>] lockdep_rcu_suspicious+0x139/0x180 kernel/locking/lockdep.c:4455
 [<ffffffff832f66dc>] __in_dev_get_rcu include/linux/inetdevice.h:205 [inline]
 [<ffffffff832f66dc>] igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
 [<ffffffff832f66dc>] igmpv3_newpack+0xc3c/0xe80 net/ipv4/igmp.c:389
 [<ffffffff832f6b55>] add_grhead.isra.29+0x235/0x300 net/ipv4/igmp.c:432
 [<ffffffff832f79c2>] add_grec+0xae2/0x1010 net/ipv4/igmp.c:565
 [<ffffffff832fbe7f>] igmpv3_send_report+0x7f/0x480 net/ipv4/igmp.c:605
 [<ffffffff832fcc87>] igmp_send_report+0x997/0xc90 net/ipv4/igmp.c:722
 [<ffffffff832fd7ad>] igmp_timer_expire+0x29d/0x3d0 net/ipv4/igmp.c:831
 [<ffffffff812a5744>] call_timer_fn+0x164/0x700 kernel/time/timer.c:1319
 [<ffffffff812a79cc>] expire_timers kernel/time/timer.c:1359 [inline]
 [<ffffffff812a79cc>] __run_timers kernel/time/timer.c:1658 [inline]
 [<ffffffff812a79cc>] run_timer_softirq+0xe8c/0x1650 kernel/time/timer.c:1684
 [<ffffffff838ba0c6>] __do_softirq+0x206/0x951 kernel/softirq.c:284
 [<ffffffff81146be5>] invoke_softirq kernel/softirq.c:364 [inline]
 [<ffffffff81146be5>] irq_exit+0x165/0x190 kernel/softirq.c:405
 [<ffffffff838b8cdb>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff838b8cdb>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:960
 [<ffffffff838b4f60>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:752
 <EOI> [   28.967738]  [<ffffffff81dfbc6b>] ? check_preemption_disabled+0x3b/0x200 lib/smp_processor_id.c:51
 [<ffffffff8149d190>] __dec_node_page_state+0x10/0x20 mm/vmstat.c:387
 [<ffffffff814f48cb>] page_remove_rmap+0x29b/0x6e0 mm/rmap.c:1444
 [<ffffffff814ca382>] zap_pte_range mm/memory.c:1171 [inline]
 [<ffffffff814ca382>] zap_pmd_range mm/memory.c:1258 [inline]
 [<ffffffff814ca382>] zap_pud_range mm/memory.c:1279 [inline]
 [<ffffffff814ca382>] unmap_page_range+0xd12/0x1830 mm/memory.c:1300
 [<ffffffff814cafab>] unmap_single_vma+0x10b/0x270 mm/memory.c:1345
 [<ffffffff814cb911>] unmap_vmas+0xf1/0x1b0 mm/memory.c:1375
 [<ffffffff814e3c4b>] exit_mmap+0x20b/0x400 mm/mmap.c:2988
 [<ffffffff81127443>] __mmput kernel/fork.c:878 [inline]
 [<ffffffff81127443>] mmput+0xf3/0x2d0 kernel/fork.c:900
 [<ffffffff8113c18a>] exit_mm kernel/exit.c:514 [inline]
 [<ffffffff8113c18a>] do_exit+0x70a/0x2a40 kernel/exit.c:820
 [<ffffffff81142978>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81142bad>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81142bad>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
random: crng init done

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/01 13:52 https://android.googlesource.com/kernel/common android-4.9 71f146972231 02553e22 .config console log report syz C ci-android-49-kasan-gce-386
2018/02/01 14:19 https://android.googlesource.com/kernel/common android-4.9 71f146972231 02553e22 .config console log report syz ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.