syzbot


INFO: rcu detected stall in ipv6_rcv

Status: auto-closed as invalid on 2021/03/22 19:41
Reported-by: syzbot+1fe510cef04db175073d@syzkaller.appspotmail.com
First crash: 801d, last: 801d
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream INFO: rcu detected stall in ipv6_rcv 7 1466d 1503d 12/24 fixed on 2019/03/06 07:43
linux-4.19 BUG: soft lockup in ipv6_rcv C error 25 187d 664d 0/1 upstream: reported C repro on 2021/04/08 17:19
linux-4.14 INFO: rcu detected stall in ipv6_rcv 1 1012d 1012d 0/1 auto-closed as invalid on 2020/08/24 07:16
upstream INFO: rcu detected stall in ipv6_rcv (2) C done 550 282d 1287d 0/24 upstream: reported C repro on 2019/07/26 09:38

Sample crash report:
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:a8:ad:5b:8e:82, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:a8:ad:5b:8e:82, vlan:0)
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	(detected by 1, t=10502 jiffies, g=9109, q=4609)
rcu: All QSes seen, last rcu_preempt kthread activity 10485 (4294972934-4294962449), jiffies_till_next_fqs=1, root ->qsmask 0x0
syz-executor.3  R  running task    26944 10174   8121 0x8000000c
Call Trace:
 <IRQ>
 sched_show_task.cold+0x332/0x396 kernel/sched/core.c:5341
 print_other_cpu_stall kernel/rcu/tree.c:1430 [inline]
 check_cpu_stall kernel/rcu/tree.c:1557 [inline]
 __rcu_pending kernel/rcu/tree.c:3293 [inline]
 rcu_pending kernel/rcu/tree.c:3336 [inline]
 rcu_check_callbacks.cold+0xb37/0xe19 kernel/rcu/tree.c:2682
 update_process_times+0x2a/0x70 kernel/time/timer.c:1650
 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:168
 tick_sched_timer+0xfc/0x290 kernel/time/tick-sched.c:1278
 __run_hrtimer kernel/time/hrtimer.c:1401 [inline]
 __hrtimer_run_queues+0x3f6/0xe60 kernel/time/hrtimer.c:1463
 hrtimer_interrupt+0x32a/0x930 kernel/time/hrtimer.c:1521
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1067 [inline]
 smp_apic_timer_interrupt+0x10c/0x550 arch/x86/kernel/apic/apic.c:1092
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
RIP: 0010:find_match.part.0+0x34b/0x1530 net/ipv6/route.c:700
Code: 89 45 a8 e8 47 e3 3e fa 48 8b 45 a8 48 85 c0 0f 89 9a fe ff ff 4c 8b 65 b8 e8 a1 e1 3e fa 48 8d 65 d0 4c 89 e0 5b 41 5a 41 5c <41> 5d 41 5e 41 5f 5d c3 c6 45 a8 01 45 31 ed e9 bd fe ff ff e8 7c
RSP: 0018:ffff8880ba106cc8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: ffff888097b3a480 RCX: ffffffff8725ed2e
RDX: 0000000000000100 RSI: ffffffff8725ee5f RDI: 0000000000000005
RBP: ffff8880ba106ce0 R08: 0000000000000000 R09: 00000000fffffffd
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: 00000000fffffffd R14: ffff888097b3a4d4 R15: 0000000000000000
 find_match net/ipv6/route.c:670 [inline]
 find_rr_leaf net/ipv6/route.c:719 [inline]
 rt6_select net/ipv6/route.c:769 [inline]
 fib6_table_lookup+0x4c2/0xf40 net/ipv6/route.c:1876
 ip6_pol_route+0x180/0x1270 net/ipv6/route.c:1909
 fib6_rule_lookup+0x10b/0x4e0 net/ipv6/fib6_rules.c:118
 ip6_route_input_lookup net/ipv6/route.c:1990 [inline]
 ip6_route_input+0x709/0xa40 net/ipv6/route.c:2125
 ip6_rcv_finish_core.constprop.0.isra.0+0xd7/0x550 net/ipv6/ip6_input.c:63
 ip6_rcv_finish+0x176/0x2f0 net/ipv6/ip6_input.c:74
 ip_sabotage_in net/bridge/br_netfilter_hooks.c:844 [inline]
 ip_sabotage_in+0x17d/0x1d0 net/bridge/br_netfilter_hooks.c:838
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ipv6_rcv+0x26a/0x3f0 net/ipv6/ip6_input.c:283
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
 netif_receive_skb_internal+0xf0/0x3f0 net/core/dev.c:5156
 NF_HOOK include/linux/netfilter.h:289 [inline]
 br_pass_frame_up+0x309/0x6c0 net/bridge/br_input.c:69
 br_handle_frame_finish+0x6f2/0x1410 net/bridge/br_input.c:173
 br_nf_hook_thresh+0x2a3/0x330 net/bridge/br_netfilter_hooks.c:1011
 br_nf_pre_routing_finish_ipv6+0x6e3/0xd40 net/bridge/br_netfilter_ipv6.c:210
 NF_HOOK include/linux/netfilter.h:289 [inline]
 br_nf_pre_routing_ipv6+0x3f4/0x854 net/bridge/br_netfilter_ipv6.c:240
 br_nf_pre_routing+0xf05/0x14fe net/bridge/br_netfilter_hooks.c:494
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 br_handle_frame+0xa60/0x13ae net/bridge/br_input.c:306
 __netif_receive_skb_core+0x929/0x3270 net/core/dev.c:4876
 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:4952
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
 process_backlog+0x241/0x700 net/core/dev.c:5848
 napi_poll net/core/dev.c:6272 [inline]
 net_rx_action+0x4ac/0xfb0 net/core/dev.c:6338
 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:544 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:lock_page_memcg+0x6b/0x220 mm/memcontrol.c:1913
Code: 3d bc 68 6e 09 00 0f 84 e0 00 00 00 0f 1f 44 00 00 4c 8d 7b 38 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 78 01 00 00 4c 8b 63 38 4d 89 fd 49 be 00 00 00 00 00 fc ff
RSP: 0018:ffff8880580676b8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffffea0002450c80 RCX: ffffffff81538403
RDX: 1ffffd400048a197 RSI: 0000000000000004 RDI: ffff8880ba122a90
RBP: ffffea0002450c80 R08: 0000000000000000 R09: ffffed1017424552
R10: ffff8880ba122a93 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffea0002450c80 R15: ffffea0002450cb8
 page_remove_file_rmap+0x36/0xa30 mm/rmap.c:1215
 page_remove_rmap+0xe5/0x120 mm/rmap.c:1300
 zap_pte_range mm/memory.c:1350 [inline]
 zap_pmd_range mm/memory.c:1452 [inline]
 zap_pud_range mm/memory.c:1481 [inline]
 zap_p4d_range mm/memory.c:1502 [inline]
 unmap_page_range+0x12f6/0x2a70 mm/memory.c:1523
 unmap_single_vma+0x198/0x300 mm/memory.c:1568
 unmap_vmas+0xa9/0x180 mm/memory.c:1598
 exit_mmap+0x2b9/0x530 mm/mmap.c:3093
 __mmput kernel/fork.c:1015 [inline]
 mmput+0x14e/0x4a0 kernel/fork.c:1036
 exit_mm kernel/exit.c:549 [inline]
 do_exit+0xaf0/0x2be0 kernel/exit.c:877
 do_group_exit+0x125/0x310 kernel/exit.c:993
 get_signal+0x3f2/0x1f70 kernel/signal.c:2589
 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:821
 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45deb9
Code: f9 00 48 8d 15 08 4f 6c 01 48 89 14 24 e8 cf ce fa ff 0f b6 44 24 2f 3c 00 0f 85 10 01 00 00 e8 7d 7e fd ff 48 8d 05 a2 c1 55 <00> 48 89 04 24 48 c7 44 24 08 11 00 00 00 e8 a4 87 fd ff 8b 44 24
RSP: 002b:00007fbefead5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: 0000000000000004 RBX: 0000000000023540 RCX: 000000000045deb9
RDX: 0000000000060000 RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007fffb43e1c9f R14: 00007fbefead69c0 R15: 000000000118bf2c
rcu: rcu_preempt kthread starved for 10485 jiffies! g9109 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: RCU grace-period kthread stack dump:
rcu_preempt     R  running task    29760    10      2 0x80000000
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x887/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x4cf/0xfe0 kernel/time/timer.c:1818
 rcu_gp_kthread+0xdad/0x21c0 kernel/rcu/tree.c:2202
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
INFO: task syz-executor.1:10191 blocked for more than 140 seconds.
      Not tainted 4.19.159-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1  D29288 10191   8117 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x887/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3619
 __mutex_lock_common kernel/locking/mutex.c:1002 [inline]
 __mutex_lock+0x647/0x1260 kernel/locking/mutex.c:1072
 genl_lock net/netlink/genetlink.c:33 [inline]
 genl_rcv_msg+0x12f/0x160 net/netlink/genetlink.c:625
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:632
 __sys_sendto+0x21a/0x320 net/socket.c:1787
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1795
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x417937
Code: Bad RIP value.
RSP: 002b:00007f5f534c9b40 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f5f534c9bf0 RCX: 0000000000417937
RDX: 0000000000000020 RSI: 00007f5f534c9c40 RDI: 0000000000000007
RBP: 0000000000000000 R08: 00007f5f534c9b50 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f5f534c9bb4
R13: 0000000000000010 R14: 00007f5f534c9c40 R15: 0000000000000007
INFO: task syz-executor.0:10172 blocked for more than 140 seconds.
      Not tainted 4.19.159-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.0  D27904 10172   8115 0x80000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x887/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3619
 __mutex_lock_common kernel/locking/mutex.c:1002 [inline]
 __mutex_lock+0x647/0x1260 kernel/locking/mutex.c:1072
net_ratelimit: 18919 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
 ip6_tnl_exit_batch_net+0x82/0x660 net/ipv6/ip6_tunnel.c:2275
 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:156
 setup_net+0x3d1/0x720 net/core/net_namespace.c:332
 copy_net_ns+0x1f7/0x335 net/core/net_namespace.c:438
 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:206
 ksys_unshare+0x36c/0x9a0 kernel/fork.c:2551
 __do_sys_unshare kernel/fork.c:2619 [inline]
 __se_sys_unshare kernel/fork.c:2617 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2617
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45deb9
Code: Bad RIP value.
RSP: 002b:00007f4f18597c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000038240 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000060000000
RBP: 000000000118bf50 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffd0db19ebf R14: 00007f4f185989c0 R15: 000000000118bf2c
INFO: task syz-executor.2:10183 blocked for more than 140 seconds.
      Not tainted 4.19.159-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2  D29040 10183   8119 0x80000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x887/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3619
 __mutex_lock_common kernel/locking/mutex.c:1002 [inline]
 __mutex_lock+0x647/0x1260 kernel/locking/mutex.c:1072
 gtp_net_exit+0x1ba/0x37d drivers/net/gtp.c:1361
 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
 setup_net+0x3d1/0x720 net/core/net_namespace.c:332
 copy_net_ns+0x1f7/0x335 net/core/net_namespace.c:438
 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:206
 ksys_unshare+0x36c/0x9a0 kernel/fork.c:2551
 __do_sys_unshare kernel/fork.c:2619 [inline]
 __se_sys_unshare kernel/fork.c:2617 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2617
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45deb9
Code: Bad RIP value.
RSP: 002b:00007fe33cf84c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000038240 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000
RBP: 000000000118bf50 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007fffbe08e47f R14: 00007fe33cf859c0 R15: 000000000118bf2c

Showing all locks held in the system:
3 locks held by kworker/u4:0/7:
4 locks held by kworker/u4:1/23:
3 locks held by kworker/u4:2/33:
3 locks held by kworker/u4:3/175:
3 locks held by kworker/u4:4/664:
1 lock held by khungtaskd/1567:
 #0: 000000005dc2302b (rcu_read_lock){....}, at: debug_show_all_locks+0x53/0x265 kernel/locking/lockdep.c:4440
2 locks held by bat_events/4602:
1 lock held by systemd-journal/4685:
1 lock held by in:imklog/7775:
2 locks held by kworker/1:4/9278:
4 locks held by kworker/u4:5/9421:
3 locks held by kworker/u4:6/9537:
2 locks held by kworker/u4:7/9540:
3 locks held by syz-executor.5/10177:
2 locks held by syz-executor.1/10191:
net_ratelimit: 14493 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:a8:ad:5b:8e:82, vlan:0)
ICMPv6: NA: 24:02:48:ff:05:00 advertised our address fe80::2602:48ff:feff:500 on bridge0!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:24:02:48:ff:05:00, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:a8:ad:5b:8e:82, vlan:0)

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-19 2020/11/22 19:41 linux-4.19.y 76bda503e640 0d27f508 .config console log report info
* Struck through repros no longer work on HEAD.