syzbot


KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (8)

Status: fixed on 2023/12/21 01:43
Subsystems: bridge
[Documentation on labels]
Fix commit: 44bdb313da57 net: bridge: use DEV_STATS_INC()
First crash: 215d, last: 215d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (4) bridge 3 1244d 1225d 0/26 auto-closed as invalid on 2020/12/27 17:42
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (3) bridge 11 1294d 1380d 0/26 auto-closed as invalid on 2020/11/07 07:33
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (7) bridge 92 266d 705d 0/26 auto-obsoleted due to no activity on 2023/09/01 04:22
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (5) bridge 2 1152d 1183d 0/26 auto-closed as invalid on 2021/03/30 00:44
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish bridge 3 1536d 1616d 0/26 auto-closed as invalid on 2020/04/14 05:00
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (2) bridge 1 1411d 1411d 0/26 closed as invalid on 2020/06/18 14:13
upstream KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish (6) bridge 7 769d 890d 0/26 auto-closed as invalid on 2022/04/16 22:53

Sample crash report:
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
==================================================================
BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish

read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
 br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
 br_nf_hook_thresh+0x1ed/0x220
 br_nf_pre_routing_finish_ipv6+0x50f/0x540
 NF_HOOK include/linux/netfilter.h:304 [inline]
 br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
 br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
 __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
 __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
 process_backlog+0x21f/0x380 net/core/dev.c:5965
 __napi_poll+0x60/0x3b0 net/core/dev.c:6527
 napi_poll net/core/dev.c:6594 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6727
 __do_softirq+0xc1/0x265 kernel/softirq.c:553
 run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
 smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
 br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
 br_nf_hook_thresh+0x1ed/0x220
 br_nf_pre_routing_finish_ipv6+0x50f/0x540
 NF_HOOK include/linux/netfilter.h:304 [inline]
 br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
 br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
 __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
 __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
 process_backlog+0x21f/0x380 net/core/dev.c:5965
 __napi_poll+0x60/0x3b0 net/core/dev.c:6527
 napi_poll net/core/dev.c:6594 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6727
 __do_softirq+0xc1/0x265 kernel/softirq.c:553
 do_softirq+0x5e/0x90 kernel/softirq.c:454
 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
 batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
 process_one_work kernel/workqueue.c:2630 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
 worker_thread+0x525/0x730 kernel/workqueue.c:2784
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

value changed: 0x00000000000d7190 -> 0x00000000000d7191

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: bat_events batadv_tt_purge
==================================================================
net_ratelimit: 15530 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/17 06:30 upstream ad8a69f361b9 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
* Struck through repros no longer work on HEAD.