syzbot

 sign-in | mailing list | source | docs
🐞 Open [9]
🐞 Fixed [562]
🐞 Invalid [423]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

DATA RACE in buffer.(*ViewList).Remove

Status: fixed on 2024/12/13 12:59
Reported-by: syzbot+e026046f4bf8ad09ae1f@syzkaller.appspotmail.com
Fix commit: afa323bd3070 Replace most instances of IncRef with Clone.
First crash: 474d, last: 469d

Sample crash report:
WARNING: DATA RACE
Write at 0x00c001630008 by goroutine 1166:
  gvisor.dev/gvisor/pkg/buffer.(*ViewList).Remove()
      bazel-out/k8-fastbuild/bin/pkg/buffer/view_list.go:190 +0x98
  gvisor.dev/gvisor/pkg/buffer.(*Buffer).removeView()
      pkg/buffer/buffer.go:36 +0x35
  gvisor.dev/gvisor/pkg/buffer.(*Buffer).advanceRead()
      pkg/buffer/buffer.go:128 +0x70
  gvisor.dev/gvisor/pkg/buffer.(*Buffer).TrimFront()
      pkg/buffer/buffer.go:83 +0x6b
  gvisor.dev/gvisor/pkg/tcpip/stack.MergeFragment()
      pkg/tcpip/stack/packet_buffer.go:607 +0x84
  gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation.(*reassembler).process()
      pkg/tcpip/network/internal/fragmentation/reassembler.go:174 +0x10c6
  gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation.(*Fragmentation).Process()
      pkg/tcpip/network/internal/fragmentation/fragmentation.go:201 +0x8ef
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).processFragmentExtHdr()
      pkg/tcpip/network/ipv6/ipv6.go:1870 +0xa24
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).processExtensionHeader()
      pkg/tcpip/network/ipv6/ipv6.go:1455 +0x805
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).processExtensionHeaders()
      pkg/tcpip/network/ipv6/ipv6.go:1509 +0x456
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).deliverPacketLocally()
      pkg/tcpip/network/ipv6/ipv6.go:1397 +0x168
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handleValidatedPacket()
      pkg/tcpip/network/ipv6/ipv6.go:1376 +0x50e
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).HandlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:1146 +0xe34
  gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).DeliverNetworkPacket()
      pkg/tcpip/stack/nic.go:769 +0x216
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/nested/nested.go:61 +0x98
  gvisor.dev/gvisor/pkg/tcpip/link/packetsocket.(*endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/packetsocket/packetsocket.go:47 +0x4d
  gvisor.dev/gvisor/pkg/tcpip/link/channel.(*Endpoint).InjectInbound()
      pkg/tcpip/link/channel/channel.go:207 +0x98
  gvisor.dev/gvisor/pkg/tcpip/link/tun.(*Device).Write()
      pkg/tcpip/link/tun/device.go:250 +0xe91
  gvisor.dev/gvisor/pkg/sentry/devices/tundev.(*tunFD).Write()
      pkg/sentry/devices/tundev/tundev.go:163 +0x3c4
  gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).Write()
      pkg/sentry/vfs/file_description.go:679 +0x118
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux.write()
      pkg/sentry/syscalls/linux/sys_read_write.go:347 +0x90
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux.Write()
      pkg/sentry/syscalls/linux/sys_read_write.go:316 +0x2b1
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:143 +0x994
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:323 +0x71
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:283 +0x93
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:258 +0x4af
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:269 +0x1fad
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x4fa
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).Start.gowrap1()
      pkg/sentry/kernel/task_start.go:400 +0x44

Previous read at 0x00c001630008 by goroutine 1175:
  gvisor.dev/gvisor/pkg/buffer.(*ViewList).Front()
      bazel-out/k8-fastbuild/bin/pkg/buffer/view_list.go:52 +0x24
  gvisor.dev/gvisor/pkg/buffer.(*Buffer).PullUp()
      pkg/buffer/buffer.go:313 +0xe9
  gvisor.dev/gvisor/pkg/tcpip/stack.(*PacketBuffer).headerView()
      pkg/tcpip/stack/packet_buffer.go:364 +0x12f
  gvisor.dev/gvisor/pkg/tcpip/stack.PacketHeader.Slice()
      pkg/tcpip/stack/packet_buffer.go:504 +0x47
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).processExtensionHeaders()
      pkg/tcpip/network/ipv6/ipv6.go:1508 +0x41a
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).deliverPacketLocally()
      pkg/tcpip/network/ipv6/ipv6.go:1397 +0x168
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handleValidatedPacket()
      pkg/tcpip/network/ipv6/ipv6.go:1376 +0x50e
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).HandlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:1146 +0xe34
  gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).DeliverNetworkPacket()
      pkg/tcpip/stack/nic.go:769 +0x216
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/nested/nested.go:61 +0x98
  gvisor.dev/gvisor/pkg/tcpip/link/packetsocket.(*endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/packetsocket/packetsocket.go:47 +0x4d
  gvisor.dev/gvisor/pkg/tcpip/link/channel.(*Endpoint).InjectInbound()
      pkg/tcpip/link/channel/channel.go:207 +0x98
  gvisor.dev/gvisor/pkg/tcpip/link/tun.(*Device).Write()
      pkg/tcpip/link/tun/device.go:250 +0xe91
  gvisor.dev/gvisor/pkg/sentry/devices/tundev.(*tunFD).Write()
      pkg/sentry/devices/tundev/tundev.go:163 +0x3c4
  gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).Write()
      pkg/sentry/vfs/file_description.go:679 +0x118
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux.write()
      pkg/sentry/syscalls/linux/sys_read_write.go:347 +0x90
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux.Write()
      pkg/sentry/syscalls/linux/sys_read_write.go:316 +0x2b1
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:143 +0x994
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:323 +0x71
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:283 +0x93
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:258 +0x4af
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:269 +0x1fad
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x4fa
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).Start.gowrap1()
      pkg/sentry/kernel/task_start.go:400 +0x44

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/16 04:29 gvisor 336dc8504327 cfe3a04a .config console log report syz / log C ci-gvisor-systrap-1-race DATA RACE in buffer.(*ViewList).Remove
2024/11/15 22:08 gvisor 39a6242b5420 eeafb645 .config console log report syz / log C ci-gvisor-ptrace-1-race DATA RACE in buffer.(*ViewList).Remove
2024/11/21 02:52 gvisor 151f3fb3bf57 4b25d554 .config console log report syz / log ci-gvisor-ptrace-2-race-cover DATA RACE in buffer.(*ViewList).Remove
2024/11/16 03:40 gvisor 336dc8504327 cfe3a04a .config console log report syz / log ci-gvisor-ptrace-2-race DATA RACE in buffer.(*ViewList).Remove
* Struck through repros no longer work on HEAD.