syzbot

 sign-in | mailing list | source | docs
🐞 Open [988] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12509] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

inconsistent lock state in tee_netdev_event

Status: closed as invalid on 2022/11/15 17:18
Subsystems: netfilter
[Documentation on labels]
First crash: 591d, last: 591d

Sample crash report:
================================
WARNING: inconsistent lock state
6.0.0-rc4-syzkaller-17255-ga6b443748715 #0 Not tainted
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
syz-executor.2/14343 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff0000fc177978 ((&llc->ack_timer.timer)){+.?.}-{0:0}, at: tee_netdev_event+0x54/0x1a8 net/netfilter/xt_TEE.c:68
{IN-SOFTIRQ-W} state was registered at:
  lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
  call_timer_fn+0x7c/0x144 kernel/time/timer.c:1471
  expire_timers kernel/time/timer.c:1519 [inline]
  __run_timers+0x280/0x374 kernel/time/timer.c:1790
  run_timer_softirq+0x34/0x5c kernel/time/timer.c:1803
  _stext+0x168/0x37c
  run_ksoftirqd+0x4c/0x21c kernel/softirq.c:934
  smpboot_thread_fn+0x248/0x3e4 kernel/smpboot.c:164
  kthread+0x12c/0x158 kernel/kthread.c:376
  ret_from_fork+0x10/0x20
irq event stamp: 50429
hardirqs last  enabled at (50429): [<ffff8000081029e0>] __local_bh_enable_ip+0x13c/0x1a4 kernel/softirq.c:401
hardirqs last disabled at (50427): [<ffff800008102968>] __local_bh_enable_ip+0xc4/0x1a4 kernel/softirq.c:378
softirqs last  enabled at (50428): [<ffff80000b598714>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (50428): [<ffff80000b598714>] rt_flush_dev+0x32c/0x374 net/ipv4/route.c:1557
softirqs last disabled at (50426): [<ffff80000b5984fc>] spin_lock_bh include/linux/spinlock.h:354 [inline]
softirqs last disabled at (50426): [<ffff80000b5984fc>] rt_flush_dev+0x114/0x374 net/ipv4/route.c:1548

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock((&llc->ack_timer.timer));
  <Interrupt>
    lock((&llc->ack_timer.timer));

 *** DEADLOCK ***

1 lock held by syz-executor.2/14343:
 #0: ffff80000d81a928 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x20/0x2c net/core/rtnetlink.c:74

stack backtrace:
CPU: 1 PID: 14343 Comm: syz-executor.2 Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_usage_bug+0x39c/0x3cc kernel/locking/lockdep.c:3961
 mark_lock_irq+0x4a8/0x4b4
 mark_lock+0x154/0x1b4 kernel/locking/lockdep.c:4632
 __lock_acquire+0x618/0x30a4 kernel/locking/lockdep.c:5007
 lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
 __mutex_lock_common+0xd4/0xca8 kernel/locking/mutex.c:603
 __mutex_lock kernel/locking/mutex.c:747 [inline]
 mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799
 tee_netdev_event+0x54/0x1a8 net/netfilter/xt_TEE.c:68
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0x7c/0x108 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1945 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10250 [inline]
 netdev_run_todo+0x340/0x6f0 net/core/dev.c:10364
 rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe8/0xfc drivers/net/tun.c:3455
 __fput+0x198/0x3dc fs/file_table.c:320
 ____fput+0x20/0x30 fs/file_table.c:353
 task_work_run+0xc4/0x14c kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x26c/0xbe0 kernel/exit.c:795
 do_group_exit+0x70/0xe8 kernel/exit.c:925
 get_signal+0xb0c/0xb40 kernel/signal.c:2857
 do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
 do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:625
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
 el0t_64_sync+0x18c/0x190
------------[ cut here ]------------
WARNING: CPU: 1 PID: 14343 at net/ipv6/ip6_fib.c:2068 fib6_walk_continue+0x278/0x2b0 net/ipv6/ip6_fib.c:2068
Modules linked in:
CPU: 1 PID: 14343 Comm: syz-executor.2 Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : fib6_walk_continue+0x278/0x2b0 net/ipv6/ip6_fib.c:2068
lr : fib6_walk_continue+0x278/0x2b0 net/ipv6/ip6_fib.c:2068
sp : ffff800014543790
x29: ffff800014543790 x28: 0000000000000000 x27: ffff0000fc263800
x26: ffff0000f8662510 x25: ffff0000fc263818 x24: ffff0000f8662510
x23: ffff0000f8662520 x22: ffff0000f8661a80 x21: ffff80000b773830
x20: 0000000000000000 x19: ffff8000145437f8 x18: 0000000000000071
x17: 6e69676e45206574 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000015 x12: ffff80000d8511f0
x11: ff8080000b78751c x10: 0000000000000000 x9 : ffff80000b78751c
x8 : ffff0000f5be4f80 x7 : 545b5d3730373135 x6 : ffff80000b785d78
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0000f5be4f80 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 fib6_walk_continue+0x278/0x2b0 net/ipv6/ip6_fib.c:2068
 fib6_walk net/ipv6/ip6_fib.c:2161 [inline]
 fib6_clean_tree net/ipv6/ip6_fib.c:2241 [inline]
 __fib6_clean_all+0x16c/0x2c4 net/ipv6/ip6_fib.c:2257
 fib6_clean_all+0x3c/0x50 net/ipv6/ip6_fib.c:2268
 rt6_sync_down_dev net/ipv6/route.c:4894 [inline]
 rt6_disable_ip+0x80/0xc8 net/ipv6/route.c:4899
 addrconf_ifdown+0x90/0xc30 net/ipv6/addrconf.c:3746
 addrconf_notify+0x234/0x7f0
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0x7c/0x108 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1945 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10250 [inline]
 netdev_run_todo+0x340/0x6f0 net/core/dev.c:10364
 rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe8/0xfc drivers/net/tun.c:3455
 __fput+0x198/0x3dc fs/file_table.c:320
 ____fput+0x20/0x30 fs/file_table.c:353
 task_work_run+0xc4/0x14c kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x26c/0xbe0 kernel/exit.c:795
 do_group_exit+0x70/0xe8 kernel/exit.c:925
 get_signal+0xb0c/0xb40 kernel/signal.c:2857
 do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
 do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:625
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
 el0t_64_sync+0x18c/0x190
irq event stamp: 50429
hardirqs last  enabled at (50429): [<ffff8000081029e0>] __local_bh_enable_ip+0x13c/0x1a4 kernel/softirq.c:401
hardirqs last disabled at (50427): [<ffff800008102968>] __local_bh_enable_ip+0xc4/0x1a4 kernel/softirq.c:378
softirqs last  enabled at (50428): [<ffff80000b598714>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (50428): [<ffff80000b598714>] rt_flush_dev+0x32c/0x374 net/ipv4/route.c:1557
softirqs last disabled at (50426): [<ffff80000b5984fc>] spin_lock_bh include/linux/spinlock.h:354 [inline]
softirqs last disabled at (50426): [<ffff80000b5984fc>] rt_flush_dev+0x114/0x374 net/ipv4/route.c:1548
---[ end trace 0000000000000000 ]---
Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a0
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000140d86000
[00000000000001a0] pgd=0800000143390003, p4d=0800000143390003, pud=0000000000000000
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 14343 Comm: syz-executor.2 Tainted: G        W          6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : nf_tables_flowtable_event+0x74/0x1bc
lr : nf_tables_flowtable_event+0x60/0x1bc net/netfilter/nf_tables_api.c:8158
sp : ffff8000145439e0
x29: ffff8000145439e0 x28: ffff0000fc40c5a0 x27: ffff800014543aa8
x26: ffff80000d839160 x25: 0000000000000001 x24: dead000000000122
x23: 0000000000000000 x22: ffff0000fc40c000 x21: 0000000000000006
x20: ffff0000fc177700 x19: ffff0000fc177740 x18: 00000000000001f7
x17: ffff80000c00d6bc x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 000000000000000b x12: ffff80000d838730
x11: ff808000095a2e3c x10: ffff80000d339358 x9 : 0aa49d18a90bda00
x8 : 0aa49d18a90bda00 x7 : 0000000000000000 x6 : ffff80000b4762fc
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0000f5be4f80 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 nf_tables_flowtable_event+0x74/0x1bc
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0x7c/0x108 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1945 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10250 [inline]
 netdev_run_todo+0x340/0x6f0 net/core/dev.c:10364
 rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe8/0xfc drivers/net/tun.c:3455
 __fput+0x198/0x3dc fs/file_table.c:320
 ____fput+0x20/0x30 fs/file_table.c:353
 task_work_run+0xc4/0x14c kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x26c/0xbe0 kernel/exit.c:795
 do_group_exit+0x70/0xe8 kernel/exit.c:925
 get_signal+0xb0c/0xb40 kernel/signal.c:2857
 do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
 do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:625
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
 el0t_64_sync+0x18c/0x190
Code: eb1402ff 54000920 d2802458 f2fbd5b8 (f940d2f9) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eb1402ff 	cmp	x23, x20
   4:	54000920 	b.eq	0x128  // b.none
   8:	d2802458 	mov	x24, #0x122                 	// #290
   c:	f2fbd5b8 	movk	x24, #0xdead, lsl #48
* 10:	f940d2f9 	ldr	x25, [x23, #416] <-- trapping instruction

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/12 12:33 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a6b443748715 356d8217 .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 inconsistent lock state in tee_netdev_event
* Struck through repros no longer work on HEAD.