syzbot

 sign-in | mailing list | source | docs
🐞 Open [142]
🐞 Fixed [16]
🐞 Invalid [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

INFO: suspicious RCU usage in __l2tp_session_unhash

Status: public: reported C repro on 2019/04/11 08:44
Reported-by: syzbot+a8c73a0dae7ebce04957@syzkaller.appspotmail.com
First crash: 2318d, last: 2292d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 INFO: suspicious RCU usage in __l2tp_session_unhash 46 2280d 2400d 0/3 auto-closed as invalid on 2019/02/22 12:31

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready

===============================
[ INFO: suspicious RCU usage. ]
4.4.147-ga5fc665 #80 Not tainted
-------------------------------
kernel/rcu/tree_plugin.h:685 Illegal synchronize_rcu() in RCU read-side critical section!

other info that might help us debug this:


rcu_scheduler_active = 1, debug_locks = 0
4 locks held by syz-executor554/4180:
 #0:  (l2tp_sock){+.....}, at: [<ffffffff835a159c>] spin_lock include/linux/spinlock.h:302 [inline]
 #0:  (l2tp_sock){+.....}, at: [<ffffffff835a159c>] l2tp_xmit_skb+0x38c/0xeb0 net/l2tp/l2tp_core.c:1139
 #1:  (rcu_read_lock){......}, at: [<ffffffff834f266f>] inet6_csk_xmit+0xff/0x490 net/ipv6/inet6_connection_sock.c:163
 #2:  (rcu_read_lock_bh){......}, at: [<ffffffff8342f525>] ip6_finish_output2+0x1d5/0x1ca0 net/ipv6/ip6_output.c:71
 #3:  (&n->lock){++--..}, at: [<ffffffff82fa818f>] __neigh_event_send+0x2f/0xc50 net/core/neighbour.c:969

stack backtrace:
CPU: 0 PID: 4180 Comm: syz-executor554 Not tainted 4.4.147-ga5fc665 #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 8468dad2c3a09b73 ffff8800b8db7090 ffffffff81e12a4d
 ffff8801d7973000 0000000000000000 0000000000000001 ffffffff83a68200
 ffff8800b9a257d8 ffff8800b8db70c0 ffffffff814108b7 ffff8800b9a25680
Call Trace:
 [<ffffffff81e12a4d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e12a4d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814108b7>] lockdep_rcu_suspicious.cold.47+0x110/0x141 kernel/locking/lockdep.c:4305
 [<ffffffff81283d08>] synchronize_rcu+0x78/0xa0 kernel/rcu/tree_plugin.h:682
 [<ffffffff835a551a>] __l2tp_session_unhash+0x38a/0x520 net/l2tp/l2tp_core.c:1702
 [<ffffffff835a587b>] l2tp_tunnel_closeall+0x1cb/0x350 net/l2tp/l2tp_core.c:1270
 [<ffffffff835a6152>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1230
 [<ffffffff82f34a2c>] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447
 [<ffffffff82f34eef>] __sk_free+0x4f/0x220 net/core/sock.c:1480
 [<ffffffff82f36e83>] sock_wfree+0x103/0x140 net/core/sock.c:1667
 [<ffffffff82f3ab03>] skb_release_head_state+0x103/0x210 net/core/skbuff.c:646
 [<ffffffff82f3c9e5>] skb_release_all+0x15/0x60 net/core/skbuff.c:659
 [<ffffffff82f3ca45>] __kfree_skb+0x15/0x20 net/core/skbuff.c:675
 [<ffffffff82f3cb47>] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696
 [<ffffffff82fa87b2>] __neigh_event_send+0x652/0xc50 net/core/neighbour.c:1016
 [<ffffffff82fae0cb>] neigh_event_send include/net/neighbour.h:431 [inline]
 [<ffffffff82fae0cb>] neigh_resolve_output+0x4eb/0x790 net/core/neighbour.c:1310
 [<ffffffff8342fc79>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8342fc79>] ip6_finish_output2+0x929/0x1ca0 net/ipv6/ip6_output.c:113
 [<ffffffff834392b8>] ip6_finish_output+0x3b8/0x760 net/ipv6/ip6_output.c:131
 [<ffffffff83439818>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff83439818>] ip6_output+0x1b8/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff83431c6a>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff83431c6a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff83431c6a>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff83431c6a>] ip6_xmit+0xc7a/0x1a00 net/ipv6/ip6_output.c:242
 [<ffffffff834f27b5>] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff835a1dfb>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff835a1dfb>] l2tp_xmit_skb+0xbeb/0xeb0 net/l2tp/l2tp_core.c:1179
 [<ffffffff835ae330>] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82f2391c>] sock_sendmsg_nosec net/socket.c:626 [inline]
 [<ffffffff82f2391c>] sock_sendmsg+0xcc/0x110 net/socket.c:636
 [<ffffffff82f250e1>] ___sys_sendmsg+0x441/0x880 net/socket.c:1963
 [<ffffffff82f276be>] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2048
 [<ffffffff82f278a5>] SYSC_sendmmsg net/socket.c:2078 [inline]
 [<ffffffff82f278a5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2073
 [<ffffffff838c8c65>] entry_SYSCALL_64_fastpath+0x22/0x9e
BUG: sleeping function called from invalid context at kernel/sched/completion.c:90
in_atomic(): 1, irqs_disabled(): 0, pid: 4180, name: syz-executor554
INFO: lockdep is turned off.
Preemption disabled at:[<ffffffff82f2391c>] sock_sendmsg_nosec net/socket.c:626 [inline]
Preemption disabled at:[<ffffffff82f2391c>] sock_sendmsg+0xcc/0x110 net/socket.c:636

CPU: 0 PID: 4180 Comm: syz-executor554 Not tainted 4.4.147-ga5fc665 #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 8468dad2c3a09b73 ffff8800b8db6e10 ffffffff81e12a4d
 ffff8801d7973000 0000000000000000 ffff8801d7973000 000000000000005a
 ffff8801d7973000 ffff8800b8db6e48 ffffffff8140e9d5 ffff8801d7973000
Call Trace:
 [<ffffffff81e12a4d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e12a4d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8140e9d5>] ___might_sleep.cold.116+0x1bd/0x1d3 kernel/sched/core.c:7988
 [<ffffffff811a69f0>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
 [<ffffffff838bdbe9>] __wait_for_common kernel/sched/completion.c:90 [inline]
 [<ffffffff838bdbe9>] wait_for_common kernel/sched/completion.c:101 [inline]
 [<ffffffff838bdbe9>] wait_for_completion+0x89/0x2e0 kernel/sched/completion.c:122
 [<ffffffff81279607>] __wait_rcu_gp+0x137/0x1b0 kernel/rcu/update.c:347
 [<ffffffff81281d04>] synchronize_rcu.part.55+0x94/0xd0 kernel/rcu/tree_plugin.h:691
 [<ffffffff81283cc7>] synchronize_rcu+0x37/0xa0 kernel/rcu/tree_plugin.h:692
 [<ffffffff835a551a>] __l2tp_session_unhash+0x38a/0x520 net/l2tp/l2tp_core.c:1702
 [<ffffffff835a587b>] l2tp_tunnel_closeall+0x1cb/0x350 net/l2tp/l2tp_core.c:1270
 [<ffffffff835a6152>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1230
 [<ffffffff82f34a2c>] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447
 [<ffffffff82f34eef>] __sk_free+0x4f/0x220 net/core/sock.c:1480
 [<ffffffff82f36e83>] sock_wfree+0x103/0x140 net/core/sock.c:1667
 [<ffffffff82f3ab03>] skb_release_head_state+0x103/0x210 net/core/skbuff.c:646
 [<ffffffff82f3c9e5>] skb_release_all+0x15/0x60 net/core/skbuff.c:659
 [<ffffffff82f3ca45>] __kfree_skb+0x15/0x20 net/core/skbuff.c:675
 [<ffffffff82f3cb47>] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696
 [<ffffffff82fa87b2>] __neigh_event_send+0x652/0xc50 net/core/neighbour.c:1016
 [<ffffffff82fae0cb>] neigh_event_send include/net/neighbour.h:431 [inline]
 [<ffffffff82fae0cb>] neigh_resolve_output+0x4eb/0x790 net/core/neighbour.c:1310
 [<ffffffff8342fc79>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8342fc79>] ip6_finish_output2+0x929/0x1ca0 net/ipv6/ip6_output.c:113
 [<ffffffff834392b8>] ip6_finish_output+0x3b8/0x760 net/ipv6/ip6_output.c:131
 [<ffffffff83439818>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff83439818>] ip6_output+0x1b8/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff83431c6a>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff83431c6a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff83431c6a>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff83431c6a>] ip6_xmit+0xc7a/0x1a00 net/ipv6/ip6_output.c:242
 [<ffffffff834f27b5>] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff835a1dfb>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff835a1dfb>] l2tp_xmit_skb+0xbeb/0xeb0 net/l2tp/l2tp_core.c:1179
 [<ffffffff835ae330>] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82f2391c>] sock_sendmsg_nosec net/socket.c:626 [inline]
 [<ffffffff82f2391c>] sock_sendmsg+0xcc/0x110 net/socket.c:636
 [<ffffffff82f250e1>] ___sys_sendmsg+0x441/0x880 net/socket.c:1963
 [<ffffffff82f276be>] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2048
 [<ffffffff82f278a5>] SYSC_sendmmsg net/socket.c:2078 [inline]
 [<ffffffff82f278a5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2073
 [<ffffffff838c8c65>] entry_SYSCALL_64_fastpath+0x22/0x9e
BUG: scheduling while atomic: syz-executor554/4180/0x00000603
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:[<ffffffff82f2391c>] sock_sendmsg_nosec net/socket.c:626 [inline]
Preemption disabled at:[<ffffffff82f2391c>] sock_sendmsg+0xcc/0x110 net/socket.c:636

CPU: 0 PID: 4180 Comm: syz-executor554 Not tainted 4.4.147-ga5fc665 #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 8468dad2c3a09b73 ffff8800b8db6c68 ffffffff81e12a4d
 ffff8801d7973000 0000000000000603 000000000001f540 0000000000000000
 0000000000000000 ffff8800b8db6c88 ffffffff8140eac9 ffff8801db21f540
Call Trace:
 [<ffffffff81e12a4d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e12a4d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8140eac9>] __schedule_bug.cold.117+0xde/0x100 kernel/sched/core.c:3138
 [<ffffffff838b9eaf>] schedule_debug kernel/sched/core.c:3153 [inline]
 [<ffffffff838b9eaf>] __schedule+0x11ff/0x1d70 kernel/sched/core.c:3265
 [<ffffffff838bac1a>] schedule+0x7a/0x1b0 kernel/sched/core.c:3355
 [<ffffffff838c6031>] schedule_timeout+0x481/0x8b0 kernel/time/timer.c:1515
 [<ffffffff838bdd5e>] do_wait_for_common kernel/sched/completion.c:75 [inline]
 [<ffffffff838bdd5e>] __wait_for_common kernel/sched/completion.c:93 [inline]
 [<ffffffff838bdd5e>] wait_for_common kernel/sched/completion.c:101 [inline]
 [<ffffffff838bdd5e>] wait_for_completion+0x1fe/0x2e0 kernel/sched/completion.c:122
 [<ffffffff81279607>] __wait_rcu_gp+0x137/0x1b0 kernel/rcu/update.c:347
 [<ffffffff81281d04>] synchronize_rcu.part.55+0x94/0xd0 kernel/rcu/tree_plugin.h:691
 [<ffffffff81283cc7>] synchronize_rcu+0x37/0xa0 kernel/rcu/tree_plugin.h:692
 [<ffffffff835a551a>] __l2tp_session_unhash+0x38a/0x520 net/l2tp/l2tp_core.c:1702
 [<ffffffff835a587b>] l2tp_tunnel_closeall+0x1cb/0x350 net/l2tp/l2tp_core.c:1270
 [<ffffffff835a6152>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1230
 [<ffffffff82f34a2c>] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447
 [<ffffffff82f34eef>] __sk_free+0x4f/0x220 net/core/sock.c:1480
 [<ffffffff82f36e83>] sock_wfree+0x103/0x140 net/core/sock.c:1667
 [<ffffffff82f3ab03>] skb_release_head_state+0x103/0x210 net/core/skbuff.c:646
 [<ffffffff82f3c9e5>] skb_release_all+0x15/0x60 net/core/skbuff.c:659
 [<ffffffff82f3ca45>] __kfree_skb+0x15/0x20 net/core/skbuff.c:675
 [<ffffffff82f3cb47>] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696
 [<ffffffff82fa87b2>] __neigh_event_send+0x652/0xc50 net/core/neighbour.c:1016
 [<ffffffff82fae0cb>] neigh_event_send include/net/neighbour.h:431 [inline]
 [<ffffffff82fae0cb>] neigh_resolve_output+0x4eb/0x790 net/core/neighbour.c:1310
 [<ffffffff8342fc79>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8342fc79>] ip6_finish_output2+0x929/0x1ca0 net/ipv6/ip6_output.c:113
 [<ffffffff834392b8>] ip6_finish_output+0x3b8/0x760 net/ipv6/ip6_output.c:131
 [<ffffffff83439818>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff83439818>] ip6_output+0x1b8/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff83431c6a>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff83431c6a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff83431c6a>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff83431c6a>] ip6_xmit+0xc7a/0x1a00 net/ipv6/ip6_output.c:242
 [<ffffffff834f27b5>] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff835a1dfb>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff835a1dfb>] l2tp_xmit_skb+0xbeb/0xeb0 net/l2tp/l2tp_core.c:1179
 [<ffffffff835ae330>] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82f2391c>] sock_sendmsg_nosec net/socket.c:626 [inline]
 [<ffffffff82f2391c>] sock_sendmsg+0xcc/0x110 net/socket.c:636
 [<ffffffff82f250e1>] ___sys_sendmsg+0x441/0x880 net/socket.c:1963
 [<ffffffff82f276be>] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2048
 [<ffffffff82f278a5>] SYSC_sendmmsg net/socket.c:2078 [inline]
 [<ffffffff82f278a5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2073
 [<ffffffff838c8c65>] entry_SYSCALL_64_fastpath+0x22/0x9e

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/12 19:59 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report syz C ci-android-44-kasan-gce
2018/08/04 01:35 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa df7f6947 .config console log report syz ci-android-44-kasan-gce-386
2018/08/03 04:07 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa 5b7e23bb .config console log report syz ci-android-44-kasan-gce-386
2018/08/01 22:53 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa 0a7cf4ec .config console log report syz ci-android-44-kasan-gce-386
2018/08/01 06:39 https://android.googlesource.com/kernel/common android-4.4 7bbfac190345 1477993e .config console log report syz ci-android-44-kasan-gce-386
2018/07/30 17:54 https://android.googlesource.com/kernel/common android-4.4 9664bdeff388 1a381291 .config console log report syz ci-android-44-kasan-gce-386
2018/08/12 18:59 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report ci-android-44-kasan-gce
2018/07/23 18:59 https://android.googlesource.com/kernel/common android-4.4 1b37d68f4c82 f69c5fcd .config console log report ci-android-44-kasan-gce
2018/07/18 06:03 https://android.googlesource.com/kernel/common android-4.4 bda6b6e49b19 6d5bd5b5 .config console log report ci-android-44-kasan-gce
* Struck through repros no longer work on HEAD.