syzbot

 sign-in | mailing list | source | docs
🐞 Open [995] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12516] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KCSAN: data-race in ip_finish_output2 / ip_tunnel_xmit

Status: fixed on 2023/06/08 14:41
Subsystems: net
[Documentation on labels]
Fix commit: 4b397c06cb98 net: tunnels: annotate lockless accesses to dev->needed_headroom
First crash: 453d, last: 453d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in ip_finish_output2 / ip_tunnel_xmit

write to 0xffff8881388520e4 of 2 bytes by task 4063 on cpu 0:
 ip_tunnel_xmit+0x140f/0x1680 net/ipv4/ip_tunnel.c:804
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip6_finish_output2+0xa12/0xc30 net/ipv6/ip6_output.c:134
 __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
 ip6_finish_output+0x395/0x4f0 net/ipv6/ip6_output.c:206
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:227
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 mld_sendpack+0x425/0x660 net/ipv6/mcast.c:1820
 mld_send_cr net/ipv6/mcast.c:2121 [inline]
 mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2653
 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
 worker_thread+0x618/0xa70 kernel/workqueue.c:2436
 kthread+0x1a9/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

read to 0xffff8881388520e4 of 2 bytes by task 3216 on cpu 1:
 ip_finish_output2+0x66/0x850 net/ipv4/ip_output.c:199
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x74d/0x850 net/ipv4/ip_output.c:228
 ip_finish_output+0xf3/0x250 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x60/0x80 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x306/0x470 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x15c7/0x1680 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x506/0x560 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one+0xc0/0x2a0 net/core/dev.c:3583
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3599
 __dev_queue_xmit+0x91c/0x11c0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_direct_output+0x13/0x20 net/core/neighbour.c:1611
 neigh_output include/net/neighbour.h:546 [inline]
 ip6_finish_output2+0xa12/0xc30 net/ipv6/ip6_output.c:134
 __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
 ip6_finish_output+0x395/0x4f0 net/ipv6/ip6_output.c:206
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:227
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 mld_sendpack+0x425/0x660 net/ipv6/mcast.c:1820
 mld_send_cr net/ipv6/mcast.c:2121 [inline]
 mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2653
 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
 worker_thread+0x618/0xa70 kernel/workqueue.c:2436
 kthread+0x1a9/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

value changed: 0x17d4 -> 0x1814

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 3216 Comm: kworker/1:3 Tainted: G        W          6.2.0-rc5-syzkaller-00221-gab072681eabe-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: mld mld_ifc_work
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/30 00:13 upstream ab072681eabe 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in ip_finish_output2 / ip_tunnel_xmit
* Struck through repros no longer work on HEAD.