syzbot

 sign-in | mailing list | source | docs
🐞 Open [971] 🐞 Fixed [3880] 🐞 Invalid [8364] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

INFO: rcu detected stall in addrconf_dad_work (5)

Status: upstream: reported C repro on 2020/09/07 15:59
Reported-by: syzbot+251463bfa779ca087ad1@syzkaller.appspotmail.com
First crash: 669d, last: 141d

Cause bisection: introduced by (bisect log) :
commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000

  tc: Add support for configuring the taprio scheduler

Crash: no output from test machine (log)
Repro: C syz .config

Fix bisection: the fix commit could be any of (bisect log):
  fc3abb53250a Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
  9e9fb7655ed5 Merge tag 'net-next-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
similar bugs (8):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream INFO: rcu detected stall in addrconf_dad_work (4) 8 908d 908d 0/22 closed as invalid on 2020/01/09 08:13
upstream INFO: rcu detected stall in addrconf_dad_work (3) 6 908d 908d 0/22 closed as invalid on 2020/01/08 05:23
linux-4.14 INFO: rcu detected stall in addrconf_dad_work C done 18 1025d 1031d 1/1 fixed on 2019/12/06 10:33
upstream INFO: rcu detected stall in addrconf_dad_work (2) 15 943d 945d 0/22 closed as invalid on 2019/12/04 14:14
upstream INFO: rcu detected stall in addrconf_dad_work C done 126 1023d 1028d 14/22 fixed on 2019/10/09 10:54
linux-4.19 INFO: rcu detected stall in addrconf_dad_work (2) C done 1 927d 927d 1/1 fixed on 2020/01/19 15:05
linux-4.19 INFO: rcu detected stall in addrconf_dad_work C done 19 1019d 1031d 1/1 fixed on 2019/12/07 19:18
linux-4.19 BUG: soft lockup in addrconf_dad_work C error 7 55d 141d 0/1 upstream: reported C repro on 2022/02/13 10:05

Sample crash report:
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 	0-....: (1 GPs behind) idle=fb5/1/0x4000000000000000 softirq=5153/5158 fqs=5250 
	(t=10502 jiffies g=5037 q=186)
NMI backtrace for cpu 0
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
 rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343
 print_cpu_stall kernel/rcu/tree_stall.h:604 [inline]
 check_cpu_stall kernel/rcu/tree_stall.h:688 [inline]
 rcu_pending kernel/rcu/tree.c:3919 [inline]
 rcu_sched_clock_irq.cold+0x5c/0x759 kernel/rcu/tree.c:2617
 update_process_times+0x16d/0x200 kernel/time/timer.c:1785
 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226
 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749
 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]
 __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:qdisc_pkt_len include/net/sch_generic.h:816 [inline]
RIP: 0010:tcf_police_act+0x388/0x11d0 net/sched/act_police.c:264
Code: 03 00 00 e8 1a ab 28 fa 4c 89 fa 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 <84> d2 0f 85 5b 0b 00 00 48 8d 7d 10 45 8b 6c 24 28 48 b8 00 00 00
RSP: 0018:ffffc90000cc6c68 EFLAGS: 00000206
RAX: 0000000000000003 RBX: ffff88807d7b1400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff874fcc76 RDI: 0000000000000003
RBP: ffff88801b377200 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff874fcc68 R11: 0000000000000000 R12: ffff88802320ab40
R13: ffff88801b377204 R14: 0000000000000000 R15: ffff88802320ab68
 tcf_action_exec net/sched/act_api.c:1049 [inline]
 tcf_action_exec+0x1a6/0x530 net/sched/act_api.c:1026
 tcf_exts_exec include/net/pkt_cls.h:326 [inline]
 route4_classify+0xef0/0x1400 net/sched/cls_route.c:179
 __tcf_classify net/sched/cls_api.c:1549 [inline]
 tcf_classify+0x3e8/0x9d0 net/sched/cls_api.c:1615
 prio_classify net/sched/sch_prio.c:42 [inline]
 prio_enqueue+0x3a7/0x790 net/sched/sch_prio.c:75
 dev_qdisc_enqueue+0x40/0x300 net/core/dev.c:3668
 __dev_xmit_skb net/core/dev.c:3756 [inline]
 __dev_queue_xmit+0x1f61/0x3660 net/core/dev.c:4081
 neigh_hh_output include/net/neighbour.h:533 [inline]
 neigh_output include/net/neighbour.h:547 [inline]
 ip_finish_output2+0x14dc/0x2170 net/ipv4/ip_output.c:228
 __ip_finish_output net/ipv4/ip_output.c:306 [inline]
 __ip_finish_output+0x396/0x650 net/ipv4/ip_output.c:288
 ip_finish_output+0x32/0x200 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x628/0xa50 net/ipv4/ip_tunnel_core.c:82
 geneve_xmit_skb drivers/net/geneve.c:966 [inline]
 geneve_xmit+0x10c8/0x3530 drivers/net/geneve.c:1077
 __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
 netdev_start_xmit include/linux/netdevice.h:4697 [inline]
 xmit_one net/core/dev.c:3473 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3489
 __dev_queue_xmit+0x2985/0x3660 net/core/dev.c:4116
 neigh_resolve_output net/core/neighbour.c:1528 [inline]
 neigh_resolve_output+0x50e/0x830 net/core/neighbour.c:1508
 neigh_output include/net/neighbour.h:549 [inline]
 ip6_finish_output2+0x56e/0x14f0 net/ipv6/ip6_output.c:126
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170
 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508
 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650
 addrconf_dad_work+0xc3f/0x1340 net/ipv6/addrconf.c:4153
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	00 e8                	add    %ch,%al
   4:	1a ab 28 fa 4c 89    	sbb    -0x76b305d8(%rbx),%ch
   a:	fa                   	cli
   b:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  12:	fc ff df
  15:	48 c1 ea 03          	shr    $0x3,%rdx
  19:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
  1d:	4c 89 f8             	mov    %r15,%rax
  20:	83 e0 07             	and    $0x7,%eax
  23:	83 c0 03             	add    $0x3,%eax
  26:	38 d0                	cmp    %dl,%al
  28:	7c 08                	jl     0x32
* 2a:	84 d2                	test   %dl,%dl <-- trapping instruction
  2c:	0f 85 5b 0b 00 00    	jne    0xb8d
  32:	48 8d 7d 10          	lea    0x10(%rbp),%rdi
  36:	45 8b 6c 24 28       	mov    0x28(%r12),%r13d
  3b:	48                   	rex.W
  3c:	b8                   	.byte 0xb8
  3d:	00 00                	add    %al,(%rax)

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/02/13 10:24 upstream b81b1829e7e3 8b9ca619 .config log report syz C INFO: rcu detected stall in addrconf_dad_work
ci-upstream-net-kasan-gce 2022/02/13 10:23 net-next 5a8fb33e5305 8b9ca619 .config log report syz C INFO: rcu detected stall in addrconf_dad_work
ci-upstream-kasan-gce-root 2020/09/03 15:50 upstream fc3abb53250a abf9ba4f .config log report syz C