ci starts bisection 2023-12-07 11:46:20.446158259 +0000 UTC m=+104.551616000 bisecting cause commit starting from 5a08d0065a915ccf325563d7ca57fa8b4897881c building syzkaller on e3299f55e91df371c35ba414e53898a130068a0e ensuring issue is reproducible on original commit 5a08d0065a915ccf325563d7ca57fa8b4897881c testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6632a18792eca853ff77c7003fa89f0e34495f037e01e91b996509561ad307c all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2b6399578c9e47d8723230c05eeb75a5476b7f112c704c08643b5311ffc122a3 all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3923 full=7654 leaves diff=2004 split chunks (needed=false): <2004> split chunk #0 of len 2004 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f48941da2f96ec710b29d313e0470a046b6e89668fc17e72b476907cf5133e6 all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2adf148f36aa9d169c6e3e7a7e790d10b94d6f8f4041b711609b1b7ebcb94062 all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0e0965d02fe165ee2db53caccd36e8530bfdd9c50873927147354859c73e1bc all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5dbaddf863adf684c1fd668c396a421c0a632b8b047b1d3973f4338e5e5e02c5 all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 5a08d0065a915ccf325563d7ca57fa8b4897881c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec308a9c2ea4a0b5dcbed7735e5233bd8b9f9574bfc841b516ee3d7bf571cfe8 all runs: crashed: WARNING in ip6_route_info_create representative crash: WARNING in ip6_route_info_create, types: [WARNING] the chunk can be dropped disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fd7dfa249cfdef3833e7a672630b7be869018110bad1ccd799833a648571e027 all runs: OK false negative chance: 0.000 # git bisect start 5a08d0065a915ccf325563d7ca57fa8b4897881c ffc253263a1375a65fa6c9f62a893e9767fbebfa Bisecting: 8823 revisions left to test after this (roughly 13 steps) [f00593e09968ed6dfcd10aebb13f470fbe3343b4] Merge tag 'parisc-for-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit f00593e09968ed6dfcd10aebb13f470fbe3343b4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 52f49c905d5e17335ea7d51d4695f9ff33fd0b2d97f813ba571fd5f51331d8ab all runs: OK false negative chance: 0.000 # git bisect good f00593e09968ed6dfcd10aebb13f470fbe3343b4 Bisecting: 4415 revisions left to test after this (roughly 12 steps) [d99b91a99be430be45413052bb428107c435918b] Merge tag 'char-misc-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit d99b91a99be430be45413052bb428107c435918b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ead27ced4aea448b475c657f6fcd667116ba8acb3e648681813a9f87c065ab77 all runs: OK false negative chance: 0.000 # git bisect good d99b91a99be430be45413052bb428107c435918b Bisecting: 2218 revisions left to test after this (roughly 11 steps) [6d795e2a7df53afccb613cdd1fdc3035a95c8a1d] MAINTAINERS: update lists.linuxfoundation.org migrated lists testing commit 6d795e2a7df53afccb613cdd1fdc3035a95c8a1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca17d82b43bed1032027dc5ba710d52aa051f71babde58d17e503eaee389fdc8 all runs: OK false negative chance: 0.000 # git bisect good 6d795e2a7df53afccb613cdd1fdc3035a95c8a1d Bisecting: 1110 revisions left to test after this (roughly 10 steps) [2254005ef1474d59b706f2ea574d8552071631b1] Merge tag 'parisc-for-6.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit 2254005ef1474d59b706f2ea574d8552071631b1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9199eb83f83daa6540e1cf8ea34a3850bf147d3d5aedb576d18f233dcc038cf9 all runs: OK false negative chance: 0.000 # git bisect good 2254005ef1474d59b706f2ea574d8552071631b1 Bisecting: 555 revisions left to test after this (roughly 9 steps) [02b3de80c5f879f92e5f4bb3f535d172e0fc0ea0] net: page_pool: stash the NAPI ID for easier access testing commit 02b3de80c5f879f92e5f4bb3f535d172e0fc0ea0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 35bab2b1c14ca913c1788d63e2e950eefa46fd28c39cff1e25fa257b79858161 all runs: OK false negative chance: 0.000 # git bisect good 02b3de80c5f879f92e5f4bb3f535d172e0fc0ea0 Bisecting: 270 revisions left to test after this (roughly 8 steps) [6172a5180fcc65170bfa2d49e55427567860f2a7] Merge tag 'net-6.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 6172a5180fcc65170bfa2d49e55427567860f2a7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 80cb955cd77fc857b8be13238bed11b0dacfcc13677b2d2862613d84983588fa all runs: OK false negative chance: 0.000 # git bisect good 6172a5180fcc65170bfa2d49e55427567860f2a7 Bisecting: 135 revisions left to test after this (roughly 7 steps) [b77e23f1b03e4e9a5940bb52d0480a5098a44c1d] octeon_ep: implement device unload control net API testing commit b77e23f1b03e4e9a5940bb52d0480a5098a44c1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8fb60381c0a1e25103e1519889a21821d6fd6c3f31b7cc20eab3c5f37f82f9c1 all runs: OK false negative chance: 0.000 # git bisect good b77e23f1b03e4e9a5940bb52d0480a5098a44c1d Bisecting: 67 revisions left to test after this (roughly 6 steps) [041a6ac4bf792eaf4c5898b3a744e98cfdc43a7a] docs: bridge: add VLAN doc testing commit 041a6ac4bf792eaf4c5898b3a744e98cfdc43a7a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 24e86a861fd09e729d8b2d49988a71f8aa9b5618f696ac3ca25a2bd3db99f7de all runs: OK false negative chance: 0.000 # git bisect good 041a6ac4bf792eaf4c5898b3a744e98cfdc43a7a Bisecting: 33 revisions left to test after this (roughly 5 steps) [fb70136ded2e1ea3cde27d0393cfadab4240a141] ipvlan: implement .parse_protocol hook function in ipvlan_header_ops testing commit fb70136ded2e1ea3cde27d0393cfadab4240a141 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4e5e3ff9f8503dbd596915f173d1fe218796f7bf48e032a4d59cb1935413f79c all runs: OK false negative chance: 0.000 # git bisect good fb70136ded2e1ea3cde27d0393cfadab4240a141 Bisecting: 16 revisions left to test after this (roughly 4 steps) [7dd12fe34686d89c332b1a05104d18d728591f0a] net: mvmdio: Avoid excessive sleeps in polled mode testing commit 7dd12fe34686d89c332b1a05104d18d728591f0a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bddcbe9e98c6874e3f99d2044ac1d02432c8bd0878b7b8480948717bd0f5ddd7 all runs: OK false negative chance: 0.000 # git bisect good 7dd12fe34686d89c332b1a05104d18d728591f0a Bisecting: 8 revisions left to test after this (roughly 3 steps) [19b707c3f23a7923ab40732521123d9b59965cc4] Documentations: fix net_cachelines documentation build warning testing commit 19b707c3f23a7923ab40732521123d9b59965cc4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 88c04494b22a7770e842f3dd631b2fea6f241273b19771908a42ae429b33e361 all runs: OK false negative chance: 0.000 # git bisect good 19b707c3f23a7923ab40732521123d9b59965cc4 Bisecting: 4 revisions left to test after this (roughly 2 steps) [2d0b80c3a550f7828f26dba029c2b9346be789af] ionic: Don't check null when calling vfree() testing commit 2d0b80c3a550f7828f26dba029c2b9346be789af gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d7439363186027b05c3dabe574e87747100485b8a2c0936aa9ee1d8de9644c04 all runs: OK false negative chance: 0.000 # git bisect good 2d0b80c3a550f7828f26dba029c2b9346be789af Bisecting: 2 revisions left to test after this (roughly 1 step) [5858036ca05658051ec61551e6699cca9c7d3369] ionic: Re-arrange ionic_intr_info struct for cache perf testing commit 5858036ca05658051ec61551e6699cca9c7d3369 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e5fbc57d45d3bc575f763d5be8586bf185f66075c834c9cff6fa5567cd2a2659 all runs: OK false negative chance: 0.000 # git bisect good 5858036ca05658051ec61551e6699cca9c7d3369 Bisecting: 0 revisions left to test after this (roughly 1 step) [074ac38d5b955a6b2241c2b483470501f318a6f1] octeontx2-af: cn10k: Increase outstanding LMTST transactions testing commit 074ac38d5b955a6b2241c2b483470501f318a6f1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1162deb7c9940ce51b4489f4bdcb76083bcdd719ca8f8d2b6ff79603a7163546 all runs: OK false negative chance: 0.000 # git bisect good 074ac38d5b955a6b2241c2b483470501f318a6f1 5a08d0065a915ccf325563d7ca57fa8b4897881c is the first bad commit commit 5a08d0065a915ccf325563d7ca57fa8b4897881c Author: Eric Dumazet Date: Tue Dec 5 17:32:50 2023 +0000 ipv6: add debug checks in fib6_info_release() Some elusive syzbot reports are hinting to fib6_info_release(), with a potential dangling f6i->gc_link anchor. Add debug checks so that syzbot can catch the issue earlier eventually. BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_init include/linux/list.h:1016 [inline] BUG: KASAN: slab-use-after-free in fib6_clean_expires_locked include/net/ip6_fib.h:533 [inline] BUG: KASAN: slab-use-after-free in fib6_purge_rt+0x986/0x9c0 net/ipv6/ip6_fib.c:1064 Write of size 8 at addr ffff88802805a840 by task syz-executor.1/10057 CPU: 1 PID: 10057 Comm: syz-executor.1 Not tainted 6.7.0-rc2-syzkaller-00029-g9b6de136b5f0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 __hlist_del include/linux/list.h:990 [inline] hlist_del_init include/linux/list.h:1016 [inline] fib6_clean_expires_locked include/net/ip6_fib.h:533 [inline] fib6_purge_rt+0x986/0x9c0 net/ipv6/ip6_fib.c:1064 fib6_del_route net/ipv6/ip6_fib.c:1993 [inline] fib6_del+0xa7a/0x1750 net/ipv6/ip6_fib.c:2038 __ip6_del_rt net/ipv6/route.c:3866 [inline] ip6_del_rt+0xf7/0x200 net/ipv6/route.c:3881 ndisc_router_discovery+0x295b/0x3560 net/ipv6/ndisc.c:1372 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x1470/0x19c0 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x170/0x13e0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xa1/0xc0 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x24e/0x380 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5529 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5643 netif_receive_skb_internal net/core/dev.c:5729 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5788 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f38e387b82f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 b9 80 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 0c 81 02 00 48 RSP: 002b:00007f38e45c9090 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f38e399bf80 RCX: 00007f38e387b82f RDX: 00000000000003b6 RSI: 0000000020000680 RDI: 00000000000000c8 RBP: 00007f38e38c847a R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000003b6 R11: 0000000000000293 R12: 0000000000000000 R13: 000000000000000b R14: 00007f38e399bf80 R15: 00007f38e3abfa48 Allocated by task 10044: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0x59/0x90 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x337/0x1e70 net/ipv6/route.c:3749 ip6_route_add+0x26/0x150 net/ipv6/route.c:3843 rt6_add_route_info+0x2e7/0x4b0 net/ipv6/route.c:4316 rt6_route_rcv+0x76c/0xbf0 net/ipv6/route.c:985 ndisc_router_discovery+0x138b/0x3560 net/ipv6/ndisc.c:1529 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x1470/0x19c0 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x170/0x13e0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xa1/0xc0 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x24e/0x380 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5529 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5643 netif_receive_skb_internal net/core/dev.c:5729 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5788 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 5123: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] __kmem_cache_free+0xc0/0x180 mm/slub.c:3822 rcu_do_batch kernel/rcu/tree.c:2158 [inline] rcu_core+0x819/0x1680 kernel/rcu/tree.c:2431 __do_softirq+0x21a/0x8de kernel/softirq.c:553 Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0x9a/0x7a0 kernel/rcu/tree.c:2681 fib6_info_release include/net/ip6_fib.h:332 [inline] fib6_info_release include/net/ip6_fib.h:329 [inline] rt6_route_rcv+0xa4e/0xbf0 net/ipv6/route.c:997 ndisc_router_discovery+0x138b/0x3560 net/ipv6/ndisc.c:1529 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x1470/0x19c0 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x170/0x13e0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xa1/0xc0 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x24e/0x380 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5529 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5643 netif_receive_skb_internal net/core/dev.c:5729 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5788 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Second to last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492 insert_work+0x38/0x230 kernel/workqueue.c:1647 __queue_work+0xcdc/0x11f0 kernel/workqueue.c:1803 call_timer_fn+0x193/0x590 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1746 [inline] __run_timers+0x585/0xb20 kernel/time/timer.c:2022 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035 __do_softirq+0x21a/0x8de kernel/softirq.c:553 The buggy address belongs to the object at ffff88802805a800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff88802805a800, ffff88802805aa00) The buggy address belongs to the physical page: page:ffffea0000a01600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28058 head:ffffea0000a01600 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888013041c80 ffffea0001e02600 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 18706, tgid 18699 (syz-executor.2), ts 999991973280, free_ts 996884464281 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab mm/slub.c:2017 [inline] new_slab+0x283/0x3c0 mm/slub.c:2070 ___slab_alloc+0x979/0x1500 mm/slub.c:3223 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] __kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x49/0x90 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] copy_splice_read+0x1ac/0x8f0 fs/splice.c:338 vfs_splice_read fs/splice.c:992 [inline] vfs_splice_read+0x2ea/0x3b0 fs/splice.c:962 splice_direct_to_actor+0x2a5/0xa30 fs/splice.c:1069 do_splice_direct+0x1af/0x280 fs/splice.c:1194 do_sendfile+0xb3e/0x1310 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __x64_sys_sendfile64+0x1d6/0x220 fs/read_write.c:1308 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1137 [inline] free_unref_page_prepare+0x4fa/0xaa0 mm/page_alloc.c:2347 free_unref_page_list+0xe6/0xb40 mm/page_alloc.c:2533 release_pages+0x32a/0x14f0 mm/swap.c:1042 tlb_batch_pages_flush+0x9a/0x190 mm/mmu_gather.c:98 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline] tlb_flush_mmu mm/mmu_gather.c:300 [inline] tlb_finish_mmu+0x14b/0x6f0 mm/mmu_gather.c:392 exit_mmap+0x38b/0xa70 mm/mmap.c:3321 __mmput+0x12a/0x4d0 kernel/fork.c:1349 mmput+0x62/0x70 kernel/fork.c:1371 exit_mm kernel/exit.c:567 [inline] do_exit+0x9ad/0x2ae0 kernel/exit.c:858 do_group_exit+0xd4/0x2a0 kernel/exit.c:1021 get_signal+0x23be/0x2790 kernel/signal.c:2904 arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:309 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x121/0x240 kernel/entry/common.c:204 irqentry_exit_to_user_mode+0xa/0x40 kernel/entry/common.c:309 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645 Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20231205173250.2982846-1-edumazet@google.com Signed-off-by: Jakub Kicinski include/net/ip6_fib.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: ec308a9c2ea4a0b5dcbed7735e5233bd8b9f9574bfc841b516ee3d7bf571cfe8 parent signature: 1162deb7c9940ce51b4489f4bdcb76083bcdd719ca8f8d2b6ff79603a7163546 revisions tested: 22, total time: 5h33m34.165047329s (build: 1h53m31.533965701s, test: 2h45m2.42059049s) first bad commit: 5a08d0065a915ccf325563d7ca57fa8b4897881c ipv6: add debug checks in fib6_info_release() recipients (to): ["dsahern@kernel.org" "edumazet@google.com" "kuba@kernel.org"] recipients (cc): [] crash: WARNING in ip6_route_info_create ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1861 at include/net/ip6_fib.h:332 fib6_info_release include/net/ip6_fib.h:332 [inline] WARNING: CPU: 0 PID: 1861 at include/net/ip6_fib.h:332 ip6_route_info_create+0x615/0x6e0 net/ipv6/route.c:3829 Modules linked in: CPU: 0 PID: 1861 Comm: syz-executor.0 Not tainted 6.7.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:fib6_info_release include/net/ip6_fib.h:332 [inline] RIP: 0010:ip6_route_info_create+0x615/0x6e0 net/ipv6/route.c:3829 Code: 49 83 7a 40 00 75 28 49 8d ba a0 00 00 00 48 c7 c6 b0 36 a3 81 48 89 54 24 20 e8 96 8b 6d ff 48 8b 54 24 20 e9 ed fc ff ff 90 <0f> 0b 90 eb d1 90 0f 0b 90 eb d2 49 8b 16 31 c9 4c 89 ef 4c 89 54 RSP: 0018:ffffc900019f7be0 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000cc0 RDX: ffffffffffffffed RSI: ffffffff820ea31b RDI: ffff8881066c402c RBP: ffffc900019f7c30 R08: 0000000000000000 R09: 00000000ffffffff R10: ffff8881066c4000 R11: 0000000000000001 R12: 0000000000000cc0 R13: ffff8881017a8000 R14: ffff8881066c40b8 R15: ffffc900019f7c98 FS: 00007f6ccddb06c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000106aa0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_route_add+0x17/0xd0 net/ipv6/route.c:3843 ipv6_route_ioctl+0x156/0x1b0 net/ipv6/route.c:4467 inet6_ioctl+0x157/0x170 net/ipv6/af_inet6.c:575 sock_do_ioctl+0x71/0x110 net/socket.c:1220 sock_ioctl+0x1c3/0x310 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0x8b/0xc0 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f6cce22dae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6ccddb00c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f6cce34cf80 RCX: 00007f6cce22dae9 RDX: 00000000200001c0 RSI: 000000000000890b RDI: 0000000000000003 RBP: 00007f6cce27947a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f6cce34cf80 R15: 00007ffc1682ff88