syzbot

 sign-in | mailing list | source | docs
🐞 Open [985] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KCSAN: data-race in __dev_set_promiscuity / ip_route_output_key_hash_rcu

Status: auto-closed as invalid on 2021/01/04 03:34
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+bf50eb9f0aa68fb96bbf@syzkaller.appspotmail.com
First crash: 1236d, last: 1236d

Sample crash report:
device macvtap1 entered promiscuous mode
==================================================================
BUG: KCSAN: data-race in __dev_set_promiscuity / ip_route_output_key_hash_rcu

read to 0xffff8881221bb228 of 4 bytes by interrupt on cpu 1:
 ip_route_output_key_hash_rcu+0x189/0x950 net/ipv4/route.c:2584
 ip_route_output_key_hash net/ipv4/route.c:2507 [inline]
 __ip_route_output_key include/net/route.h:126 [inline]
 ip_route_output_flow+0xaf/0x160 net/ipv4/route.c:2768
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x173/0x560 net/ipv4/igmp.c:369
 add_grhead net/ipv4/igmp.c:440 [inline]
 add_grec+0xbc3/0xd10 net/ipv4/igmp.c:573
 igmpv3_send_cr net/ipv4/igmp.c:710 [inline]
 igmp_ifc_timer_expire+0x5d5/0xa20 net/ipv4/igmp.c:807
 call_timer_fn+0x2e/0x240 kernel/time/timer.c:1410
 expire_timers+0x116/0x260 kernel/time/timer.c:1455
 __run_timers+0x338/0x3d0 kernel/time/timer.c:1747
 run_timer_softirq+0x19/0x30 kernel/time/timer.c:1760
 __do_softirq+0x12c/0x2b1 kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu+0xb2/0xc0 kernel/softirq.c:423
 sysvec_apic_timer_interrupt+0x74/0x90 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631
 native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
 arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
 kcsan_setup_watchpoint+0x1ec/0x4d0 kernel/kcsan/core.c:591
 skb_zcopy include/linux/skbuff.h:1435 [inline]
 skb_orphan_frags include/linux/skbuff.h:2771 [inline]
 pskb_expand_head+0x2b2/0x8c0 net/core/skbuff.c:1643
 skb_ensure_writable+0x13d/0x1a0 net/core/skbuff.c:5452
 __bpf_try_make_writable net/core/filter.c:1654 [inline]
 bpf_try_make_writable net/core/filter.c:1660 [inline]
 bpf_try_make_head_writable net/core/filter.c:1668 [inline]
 ____bpf_clone_redirect net/core/filter.c:2442 [inline]
 bpf_clone_redirect+0xb6/0x1c0 net/core/filter.c:2420
 bpf_prog_bebbfe2050753572+0x56/0x70c
 bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
 bpf_test_run+0x266/0x450 net/bpf/test_run.c:50
 bpf_prog_test_run_skb+0x6f0/0xe70 net/bpf/test_run.c:581
 bpf_prog_test_run kernel/bpf/syscall.c:3125 [inline]
 __do_sys_bpf+0x39d6/0x9aa0 kernel/bpf/syscall.c:4417
 __se_sys_bpf kernel/bpf/syscall.c:4357 [inline]
 __x64_sys_bpf+0x3d/0x50 kernel/bpf/syscall.c:4357
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

read-write to 0xffff8881221bb228 of 4 bytes by task 22529 on cpu 0:
 __dev_set_promiscuity+0x8c/0x380 net/core/dev.c:8197
 dev_set_promiscuity+0x37/0x90 net/core/dev.c:8253
 macvlan_change_rx_flags+0xe8/0x100 drivers/net/macvlan.c:769
 dev_change_rx_flags net/core/dev.c:8186 [inline]
 __dev_set_promiscuity+0x30d/0x380 net/core/dev.c:8230
 __dev_change_flags+0x1e8/0x400 net/core/dev.c:8432
 rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3123
 __rtnl_newlink net/core/rtnetlink.c:3460 [inline]
 rtnl_newlink+0xf14/0x13a0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x723/0x7c0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2494
 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5580
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x5df/0x6b0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x6f8/0x7c0 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 ____sys_sendmsg+0x352/0x4c0 net/socket.c:2353
 ___sys_sendmsg net/socket.c:2407 [inline]
 __sys_sendmsg+0x1e2/0x260 net/socket.c:2440
 __do_sys_sendmsg net/socket.c:2449 [inline]
 __se_sys_sendmsg net/socket.c:2447 [inline]
 __x64_sys_sendmsg+0x42/0x50 net/socket.c:2447
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 22529 Comm: syz-executor.4 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/11/30 03:34 upstream b65054597872 a0092f9d .config console log report info ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.