syzbot

 sign-in | mailing list | source | docs
🐞 Open [974] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12471] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

INFO: rcu detected stall in br_handle_frame (2)

Status: fixed on 2020/02/18 14:31
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
Fix commit: d9e15a273306 pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
First crash: 1581d, last: 1580d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: INFO: rcu detected stall in corrupted (log)
Repro: C syz .config
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 3.16 000/245] 3.16.83-rc1 review 260 (260) 2020/04/24 17:54
[PATCH 5.4 000/165] 5.4.11-stable review 171 (171) 2020/01/13 18:27
[PATCH 4.19 00/84] 4.19.95-stable review 95 (95) 2020/01/13 15:48
[PATCH 4.14 00/62] 4.14.164-stable review 66 (66) 2020/01/13 15:47
[PATCH 4.9 00/91] 4.9.209-stable review 97 (97) 2020/01/13 15:47
[PATCH 4.4 00/59] 4.4.209-stable review 63 (63) 2020/01/13 15:41
[PATCH net] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM 2 (2) 2020/01/08 20:41
INFO: rcu detected stall in br_handle_frame (2) 3 (4) 2019/12/30 23:02
Similar bugs (9)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 INFO: rcu detected stall in br_handle_frame (3) 1 1296d 1296d 0/1 auto-closed as invalid on 2021/01/28 07:46
upstream INFO: rcu detected stall in br_handle_frame C done 341 1676d 1681d 13/26 fixed on 2019/10/09 10:54
upstream INFO: rcu detected stall in br_handle_frame (3) bridge 1 1006d 1006d 0/26 auto-closed as invalid on 2021/10/15 13:41
linux-4.14 INFO: rcu detected stall in br_handle_frame (2) C done 1 1581d 1581d 1/1 fixed on 2020/01/19 15:05
linux-4.14 INFO: rcu detected stall in br_handle_frame C done 15 1673d 1685d 1/1 fixed on 2019/12/07 19:24
linux-4.19 INFO: rcu detected stall in br_handle_frame (2) C error 31 441d 1281d 0/1 upstream: reported C repro on 2020/10/14 18:56
linux-4.19 INFO: rcu detected stall in br_handle_frame C done 41 1673d 1685d 1/1 fixed on 2019/12/07 19:18
linux-5.15 INFO: rcu detected stall in br_handle_frame origin:lts-only C error 1 70d 70d 0/3 upstream: reported C repro on 2024/02/08 13:52
upstream INFO: rcu detected stall in br_handle_frame (4) kernel 1 845d 845d 0/26 closed as invalid on 2022/02/08 10:10

Sample crash report:
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
	(detected by 0, t=10502 jiffies, g=10149, q=201)
rcu: All QSes seen, last rcu_preempt kthread activity 10502 (4294978441-4294967939), jiffies_till_next_fqs=1, root ->qsmask 0x0
sshd            R  running task    26584 10034   9965 0x00000008
Call Trace:
 <IRQ>
 sched_show_task kernel/sched/core.c:5954 [inline]
 sched_show_task.cold+0x2ee/0x35d kernel/sched/core.c:5929
 print_other_cpu_stall kernel/rcu/tree_stall.h:410 [inline]
 check_cpu_stall kernel/rcu/tree_stall.h:538 [inline]
 rcu_pending kernel/rcu/tree.c:2827 [inline]
 rcu_sched_clock_irq.cold+0xaf4/0xc02 kernel/rcu/tree.c:2271
 update_process_times+0x2d/0x70 kernel/time/timer.c:1726
 tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:167
 tick_sched_timer+0x53/0x140 kernel/time/tick-sched.c:1310
 __run_hrtimer kernel/time/hrtimer.c:1517 [inline]
 __hrtimer_run_queues+0x364/0xe40 kernel/time/hrtimer.c:1579
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1641
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
 smp_apic_timer_interrupt+0x160/0x610 arch/x86/kernel/apic/apic.c:1135
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
RIP: 0010:fq_dequeue+0x7b3/0x16a0 net/sched/sch_fq.c:506
Code: 4d 89 af d8 02 00 00 49 c7 45 48 00 00 00 00 e9 01 fd ff ff e8 7e 56 30 fb 48 8b 45 90 48 89 45 d0 48 8b 45 a0 42 80 3c 30 00 <0f> 85 4f 0c 00 00 4d 8b af d0 02 00 00 4d 85 ed 0f 85 ff fc ff ff
RSP: 0018:ffffc90000006ab8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1101246725a RBX: 0000000000000000 RCX: ffffffff8644d3d3
RDX: 0000000000000100 RSI: ffffffff8644d672 RDI: ffff88809708c728
RBP: ffffc90000006b40 R08: ffff88809cba2300 R09: fffffbfff16599c5
R10: fffffbfff16599c4 R11: ffffffff8b2cce27 R12: ffff8880923392d8
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888092339000
 dequeue_skb net/sched/sch_generic.c:263 [inline]
 qdisc_restart net/sched/sch_generic.c:366 [inline]
 __qdisc_run+0x1a5/0x1770 net/sched/sch_generic.c:384
 __dev_xmit_skb net/core/dev.c:3677 [inline]
 __dev_queue_xmit+0x163f/0x35c0 net/core/dev.c:3982
 dev_queue_xmit+0x18/0x20 net/core/dev.c:4046
 br_dev_queue_push_xmit+0x3f3/0x5e0 net/bridge/br_forward.c:52
 br_nf_dev_queue_xmit+0x34e/0x14b0 net/bridge/br_netfilter_hooks.c:800
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 br_nf_post_routing+0x14e9/0x1d10 net/bridge/br_netfilter_hooks.c:848
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_slow+0xbc/0x1e0 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:262 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 br_forward_finish+0x215/0x3f0 net/bridge/br_forward.c:65
 br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1019
 br_nf_forward_finish+0x667/0xa80 net/bridge/br_netfilter_hooks.c:564
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 br_nf_forward_ip net/bridge/br_netfilter_hooks.c:634 [inline]
 br_nf_forward_ip+0xc65/0x21d0 net/bridge/br_netfilter_hooks.c:575
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_slow+0xbc/0x1e0 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:262 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 __br_forward+0x393/0xaf0 net/bridge/br_forward.c:109
 deliver_clone+0x61/0xc0 net/bridge/br_forward.c:125
 br_flood+0x325/0x3d0 net/bridge/br_forward.c:232
 br_handle_frame_finish+0xb46/0x1670 net/bridge/br_input.c:162
 br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1019
 br_nf_pre_routing_finish_ipv6+0x6fa/0xdb0 net/bridge/br_netfilter_ipv6.c:206
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_nf_pre_routing_ipv6+0x456/0x830 net/bridge/br_netfilter_ipv6.c:236
 br_nf_pre_routing+0x1896/0x22b3 net/bridge/br_netfilter_hooks.c:505
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:224 [inline]
 br_handle_frame+0x806/0x1340 net/bridge/br_input.c:349
 __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5051
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5148
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5264
 process_backlog+0x206/0x750 net/core/dev.c:6095
 napi_poll net/core/dev.c:6532 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6600
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:sk_page_frag include/net/sock.h:2255 [inline]
RIP: 0010:tcp_sendmsg_locked+0x1a1d/0x33a0 net/ipv4/tcp.c:1318
Code: f0 fe ff ff 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 00 17 00 00 41 89 9e b8 00 00 00 41 bf f2 ff ff ff e9 7f 03 00 00 <e8> 9e 93 eb fa 48 8b 85 90 fe ff ff 48 89 85 10 ff ff ff e9 a8 f5
RSP: 0018:ffffc90001df7920 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: ffff888093571afc RCX: ffffffff86898ee8
RDX: 0000000000000400 RSI: 0000000000000400 RDI: 0000000000000005
RBP: ffffc90001df7ab0 R08: ffff88809cba2300 R09: ffffed1013bf3d5d
R10: ffffed1013bf3d5c R11: ffff88809df9eae3 R12: 0000000000000038
R13: ffff888093571a40 R14: ffff888085e92040 R15: dffffc0000000000
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1436
 inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 sock_write_iter+0x2cb/0x400 net/socket.c:991
 call_write_iter include/linux/fs.h:1902 [inline]
 new_sync_write+0x4d3/0x770 fs/read_write.c:483
 __vfs_write+0xe1/0x110 fs/read_write.c:496
 vfs_write+0x268/0x5d0 fs/read_write.c:558
 ksys_write+0x220/0x290 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:620
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f5c7193a370
Code: 73 01 c3 48 8b 0d c8 4a 2b 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 83 3d 85 a2 2b 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 0e 8a 01 00 48 89 04 24
RSP: 002b:00007ffdcd194578 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000038 RCX: 00007f5c7193a370
RDX: 0000000000000038 RSI: 000055bba62514a0 RDI: 0000000000000003
RBP: 000055bba62514a0 R08: 0000000000000001 R09: 0101010101010101
R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdcd1945dc
R13: 000055bba61fcfb4 R14: 0000000000000028 R15: 000055bba61feca0
rcu: rcu_preempt kthread starved for 10502 jiffies! g10149 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_preempt     R  running task    29272    10      2 0x80004000
Call Trace:
 context_switch kernel/sched/core.c:3385 [inline]
 __schedule+0x934/0x1f90 kernel/sched/core.c:4081
 schedule+0xdc/0x2b0 kernel/sched/core.c:4155
 schedule_timeout+0x486/0xc50 kernel/time/timer.c:1895
 rcu_gp_fqs_loop kernel/rcu/tree.c:1661 [inline]
 rcu_gp_kthread+0x9b2/0x18d0 kernel/rcu/tree.c:1821
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/20 14:55 upstream 7e0165b2f1a9 e30cbdae .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/20 13:44 upstream 7e0165b2f1a9 e30cbdae .config console log report syz C ci-upstream-kasan-gce
* Struck through repros no longer work on HEAD.