syzbot


general protection fault in hrtimer_active (3)

Status: fixed on 2022/03/08 16:11
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: e28587cc491e sit: do not call ipip6_dev_free() from sit_init_net()
First crash: 459d, last: 154d

Cause bisection: introduced by (bisect log) :
commit 766b0515d5bec4b780750773ed3009b148df8c0a
Author: Jakub Kicinski <kuba@kernel.org>
Date: Wed Jan 6 18:40:07 2021 +0000

  net: make sure devices go through netdev_wait_all_refs

Crash: unregister_netdevice: waiting for DEV to become free (log)
Repro: syz .config

Fix bisection: failed (bisect log)
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in hrtimer_active C 669 1698d 1722d 3/22 fixed on 2017/11/28 03:36
upstream general protection fault in hrtimer_active (2) C 10612 1585d 1589d 4/22 fixed on 2018/03/06 13:29
linux-4.19 general protection fault in hrtimer_active C error 66 286d 1030d 0/1 upstream: reported C repro on 2019/09/09 21:23

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 117 Comm: kworker/u4:3 Tainted: G        W         5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:276 [inline]
RIP: 0010:hrtimer_active+0x6b/0x1f0 kernel/time/hrtimer.c:1463
Code: 01 f0 48 89 44 24 10 e8 c3 6d 10 00 48 8b 44 24 08 80 38 00 0f 85 71 01 00 00 49 8b 6d 30 48 8d 45 10 48 89 04 24 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 42 01 00 00 8b 5d 10 31 ff
RSP: 0018:ffffc900014f7918 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffffe8ffffa1bbf0 RCX: 0000000000000000
RDX: ffff8880153a2380 RSI: ffffffff8164510d RDI: ffffe8ffffa1bbf0
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000ffa1ba00
R10: ffffffff8711716d R11: 0000000000000000 R12: 0000000000000000
R13: ffffe8ffffa1bbf0 R14: dffffc0000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055abb45f15ff CR3: 0000000026155000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hrtimer_try_to_cancel+0x21/0x1e0 kernel/time/hrtimer.c:1180
 hrtimer_cancel+0x13/0x40 kernel/time/hrtimer.c:1295
 napi_disable+0xc3/0x110 net/core/dev.c:6946
 gro_cells_destroy net/core/gro_cells.c:101 [inline]
 gro_cells_destroy+0x10d/0x360 net/core/gro_cells.c:92
 ip_tunnel_dev_free+0x15/0x60 net/ipv4/ip_tunnel.c:1000
 netdev_run_todo+0x6b4/0xa80 net/core/dev.c:10609
 ip_tunnel_delete_nets+0x3f0/0x5b0 net/ipv4/ip_tunnel.c:1114
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:178
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 577743e35b35f6ae ]---
RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:276 [inline]
RIP: 0010:hrtimer_active+0x6b/0x1f0 kernel/time/hrtimer.c:1463
Code: 01 f0 48 89 44 24 10 e8 c3 6d 10 00 48 8b 44 24 08 80 38 00 0f 85 71 01 00 00 49 8b 6d 30 48 8d 45 10 48 89 04 24 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 42 01 00 00 8b 5d 10 31 ff
RSP: 0018:ffffc900014f7918 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffffe8ffffa1bbf0 RCX: 0000000000000000
RDX: ffff8880153a2380 RSI: ffffffff8164510d RDI: ffffe8ffffa1bbf0
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000ffa1ba00
R10: ffffffff8711716d R11: 0000000000000000 R12: 0000000000000000
R13: ffffe8ffffa1bbf0 R14: dffffc0000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055abb4556ca8 CR3: 000000002dda0000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (34):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2021/07/03 04:00 upstream 3dbdb38e2869 55aa55c2 .config log report syz general protection fault in hrtimer_active
ci-upstream-kasan-gce-root 2021/06/25 18:13 upstream 44db63d1ad8d ae6bf8dd .config log report info general protection fault in hrtimer_active
ci-upstream-kasan-gce-root 2021/06/01 21:36 upstream c2131f7e73c9 032639db .config log report info general protection fault in hrtimer_active
ci-qemu-upstream 2021/05/28 03:33 upstream 97e5bf604b7a 858ea628 .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/08/01 22:16 upstream d4affd6b6e81 6c236867 .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/06/18 22:09 upstream b1edae0d5f2e aba2b2fb .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/06/11 14:57 upstream 06af8679449d 1ba81399 .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/06/04 09:46 upstream f88cd3fb9df2 966a236b .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/05/29 17:24 upstream 6799d4f2da49 325a8dab .config log report info general protection fault in hrtimer_active
ci-qemu-upstream-386 2021/05/28 14:11 upstream 97e5bf604b7a 858ea628 .config log report info general protection fault in hrtimer_active
ci-upstream-net-this-kasan-gce 2021/12/19 04:50 net 60ec7fcfe768 44068e19 .config log report info general protection fault in hrtimer_active
ci-upstream-bpf-kasan-gce 2021/09/09 22:47 bpf 57f780f1c433 e2776ee4 .config log report info general protection fault in hrtimer_active
ci-upstream-net-this-kasan-gce 2021/08/22 21:25 net 9cf448c200ba b599f2fc .config log report info general protection fault in hrtimer_active
ci-upstream-net-this-kasan-gce 2021/08/22 14:17 net 12d125b4574b b599f2fc .config log report info general protection fault in hrtimer_active
ci-upstream-bpf-kasan-gce 2021/07/29 02:58 bpf 2039f26f3aca 9a4781d4 .config log report info general protection fault in hrtimer_active
ci-upstream-bpf-kasan-gce 2021/05/26 10:22 bpf f5d287126f63 54f0bcf1 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2022/02/01 22:51 net-next e4d2763f9aaf 4ebb2798 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2022/01/31 03:48 net-next ff58831fa02d 495e00c5 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/12/14 12:58 net-next a3c62a042237 d018dd31 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/11/25 07:56 net-next d156250018ab 545ab074 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/10/20 18:05 net-next 816219a86d21 418a00eb .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/09/06 01:29 net-next 29ce8f970107 d236a457 .config log report info general protection fault in hrtimer_active
ci-upstream-bpf-next-kasan-gce 2021/08/08 23:04 bpf-next c83ae15dc947 6972b106 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/08/04 02:41 net-next 7cdd0a89ec70 6c236867 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/07/12 09:05 net-next 5e437416ff66 a4869c92 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/07/04 20:39 net-next 5e437416ff66 55aa55c2 .config log report info general protection fault in hrtimer_active
ci-upstream-bpf-next-kasan-gce 2021/06/28 07:15 bpf-next a196fa78a265 9d2ab5df .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/06/19 02:56 net-next 4bea7207a80c aba2b2fb .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/06/06 11:02 net-next 1a42624aecba 500c2339 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/05/03 05:42 net-next 95aafe911db6 77e2b668 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/04/16 05:34 net-next c329e5afb42f c59079a6 .config log report info general protection fault in hrtimer_active
ci-upstream-net-kasan-gce 2021/04/03 01:48 net-next f3f409a9b7f5 6a81331a .config log report info general protection fault in hrtimer_active
ci-upstream-linux-next-kasan-gce-root 2021/09/16 21:25 linux-next 368847b165bb aae492f2 .config log report info general protection fault in hrtimer_active
ci-upstream-linux-next-kasan-gce-root 2021/05/26 23:18 linux-next a1f92694393a 858ea628 .config log report info general protection fault in hrtimer_active