syzbot


BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+7d941e89dd48bcf42573@syzkaller.appspotmail.com
Fix commit: a100243d95a6 rtnetlink: avoid RCU read lock when holding RTNL
First crash: 645d, last: 587d

Cause bisection: introduced by (bisect log) :
commit f185de28d9ae6c978135993769352e523ee8df06
Author: Taehee Yoo <ap420073@gmail.com>
Date: Thu Mar 25 16:16:56 2021 +0000

  mld: add new workqueues for process mld events

Crash: WARNING: suspicious RCU usage in igmp6_group_dropped (log)
Repro: C syz .config
Last patch testing requests:
Created Duration User Patch Repo Result
2021/05/06 19:41 20m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK
2021/05/05 21:21 19m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK
2021/05/05 20:29 20m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK
2021/05/05 20:00 10m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net error

Sample crash report:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:928
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9797, name: syz-executor058
2 locks held by syz-executor058/9797:
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5559
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: nla_ok include/net/netlink.h:1159 [inline]
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: do_setlink+0x27d0/0x3af0 net/core/rtnetlink.c:2868
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 9797 Comm: syz-executor058 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8328
 __mutex_lock_common kernel/locking/mutex.c:928 [inline]
 __mutex_lock+0xa9/0x1120 kernel/locking/mutex.c:1096
 __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564

=============================
[ BUG: Invalid wait context ]
5.12.0-rc7-syzkaller #0 Tainted: G        W        
-----------------------------
syz-executor058/9797 is trying to lock:
ffff8880188c4530 (&idev->mc_lock){+.+.}-{3:3}, at: __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
other info that might help us debug this:
context-{4:4}
2 locks held by syz-executor058/9797:
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5559
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: nla_ok include/net/netlink.h:1159 [inline]
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: do_setlink+0x27d0/0x3af0 net/core/rtnetlink.c:2868
stack backtrace:
CPU: 1 PID: 9797 Comm: syz-executor058 Tainted: G        W         5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4552 [inline]
 check_wait_context kernel/locking/lockdep.c:4613 [inline]
 __lock_acquire.cold+0x219/0x3b4 kernel/locking/lockdep.c:4851
 lock_acquire kernel/locking/lockdep.c:5511 [inline]
 lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5476
 __mutex_lock_common kernel/locking/mutex.c:949 [inline]
 __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
 __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:197
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9797, name: syz-executor058
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff87026ff3>] local_bh_disable include/linux/bottom_half.h:19 [inline]
[<ffffffff87026ff3>] netif_addr_lock_bh include/linux/netdevice.h:4549 [inline]
[<ffffffff87026ff3>] __dev_mc_del net/core/dev_addr_lists.c:814 [inline]
[<ffffffff87026ff3>] dev_mc_del+0x63/0x110 net/core/dev_addr_lists.c:833
CPU: 1 PID: 9797 Comm: syz-executor058 Tainted: G        W         5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8328
 might_alloc include/linux/sched/mm.h:197 [inline]
 slab_pre_alloc_hook mm/slab.h:497 [inline]
 slab_alloc_node mm/slub.c:2826 [inline]
 slab_alloc mm/slub.c:2915 [inline]
 kmem_cache_alloc_trace+0x263/0x2a0 mm/slub.c:2932
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 mld_add_delrec net/ipv6/mcast.c:737 [inline]
 igmp6_leave_group net/ipv6/mcast.c:2629 [inline]
 igmp6_group_dropped+0x4f7/0xe90 net/ipv6/mcast.c:717
 __ipv6_dev_mc_dec+0x25d/0x340 net/ipv6/mcast.c:973
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-kasan-gce 2021/05/03 11:44 net-next 95aafe911db6 77e2b668 .config console log report syz C BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce 2021/05/03 04:58 net-next 95aafe911db6 77e2b668 .config console log report syz C BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-root 2021/06/29 21:03 upstream c54b245d0118 a4fccb01 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-smack-root 2021/06/02 05:59 upstream 231bc5390667 032639db .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-selinux-root 2021/05/11 22:13 upstream 88b06399c9c7 b3c3bb8e .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-386 2021/06/18 04:21 upstream fd0aa1a4567d aba2b2fb .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-386 2021/06/13 04:41 upstream 8ecfa36cd4db 1ba81399 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-qemu-upstream-386 2021/05/16 14:37 upstream 63d1cb53e26a f54a5c09 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/06/26 02:33 net be7f62eebaff ae6bf8dd .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/06/23 23:27 net 7c2becf7968b fe4ab389 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/06/22 14:18 net 0cd58e5c53ba aba2b2fb .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/06/05 04:23 net 3822d0670c9d 500c2339 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/06/03 23:53 net 261ba78cc364 0740de69 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/05/31 00:39 net 593f555fbc60 325a8dab .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/05/23 22:35 net e29f011e8fc0 3c7fef33 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/05/18 12:45 net 1dde47a66d4f a343ba6b .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/05/14 19:23 net e4df1b0c2435 8bdd5343 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce 2021/05/09 12:14 net b741596468b0 bc5434be .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce 2021/05/11 00:42 net-next 48de7c0c1c92 ca873091 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce 2021/05/02 21:43 net-next 95aafe911db6 77e2b668 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-linux-next-kasan-gce-root 2021/05/10 14:06 linux-next e6f67ebd93ef ca873091 .config console log report info BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
* Struck through repros no longer work on HEAD.