Actions
Bug #401
closedForward packet code causes WARNING (followed by reboot)
Start date:
10/14/2019
Due date:
% Done:
100%
Estimated time:
Description
@Linus, the syzcall project found following problem:
Hello, syzbot found the following crash on: HEAD commit: da940012 Merge tag 'char-misc-5.4-rc3' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13ffd808e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=2d2fd92a28d3e50 dashboard link: https://syzkaller.appspot.com/bug?extid=c0b807de416427ff3dd1 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141ffd77600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11edd580e00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com ------------[ cut here ]------------ WARNING: CPU: 1 PID: 30 at net/batman-adv/bat_iv_ogm.c:382 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:382 [inline] WARNING: CPU: 1 PID: 30 at net/batman-adv/bat_iv_ogm.c:382 batadv_iv_send_outstanding_bat_ogm_packet+0x6b4/0x770 net/batman-adv/bat_iv_ogm.c:1663 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 30 Comm: kworker/u4:2 Not tainted 5.4.0-rc2+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 panic+0x264/0x7a9 kernel/panic.c:221 __warn+0x20e/0x210 kernel/panic.c:582 report_bug+0x1b6/0x2f0 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0xd7/0x440 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:382 [inline] RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x6b4/0x770 net/batman-adv/bat_iv_ogm.c:1663 Code: 66 05 00 eb 05 e8 9c 48 23 fa 48 83 c4 68 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 88 48 23 fa 0f 0b e9 34 ff ff ff e8 7c 48 23 fa <0f> 0b e9 28 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c1 f9 ff RSP: 0018:ffff8880a9abfc48 EFLAGS: 00010293 RAX: ffffffff874fe8a4 RBX: ffff888094160870 RCX: ffff8880a9ab2080 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002 RBP: ffff8880a9abfcd8 R08: ffffffff874fe28e R09: ffffed10123e6969 R10: ffffed10123e6969 R11: 0000000000000000 R12: ffff888091f34000 R13: dffffc0000000000 R14: ffff8880a80c5000 R15: ffff8880a4481400 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Updated by Sven Eckelmann about 5 years ago
They also send following information (which might be bogus because they tried to bisect a race condition):
syzbot has bisected this bug to:
commit 26d051e301f67cdd2ea3404abb43902f13214efa
Author: Arvind Yadav <arvind.yadav.cs@gmail.com>
Date: Thu Jun 29 08:21:35 2017 +0000
media: exynos4-is: fimc-is-i2c: constify dev_pm_ops structures
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a0aff0e00000
start commit: da940012 Merge tag 'char-misc-5.4-rc3' of git://git.kernel..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=12a0aff0e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14a0aff0e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d2fd92a28d3e50
dashboard link: https://syzkaller.appspot.com/bug?extid=c0b807de416427ff3dd1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141ffd77600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11edd580e00000
Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
Fixes: 26d051e301f6 ("media: exynos4-is: fimc-is-i2c: constify dev_pm_ops
structures")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Updated by Sven Eckelmann about 5 years ago
This is the relevant code:
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 367) /* send a batman ogm packet */
0272a5adb bat_iv_ogm.c (Sven Eckelmann 2012-06-05 22:31:31 +0200 368) static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 369) {
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 370) struct net_device *soft_iface;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 371)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 372) if (!forw_packet->if_incoming) {
a112eaab4 bat_iv_ogm.c (Sven Eckelmann 2012-03-07 09:07:45 +0100 373) pr_err("Error - can't forward packet: incoming iface not specified\n");
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 374) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 375) }
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 376)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 377) soft_iface = forw_packet->if_incoming->soft_iface;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 378)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 379) if (WARN_ON(!forw_packet->if_outgoing))
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 380) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 381)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 382) if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 383) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 384)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 385) if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 386) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 387)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 388) /* only for one specific outgoing interface */
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 389) batadv_iv_ogm_send_to_if(forw_packet, forw_packet->if_outgoing);
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 390) }
We should check whether the softif of the outgoing hardif was really changed by the reproducer. And in this case figure out what we should do in this case. If it is expected then don't do a WARN_ON. If it is not then fix the race condition properly.
Updated by Sven Eckelmann over 3 years ago
- Status changed from New to In Progress
- Target version set to 2021.2
A patch was proposed under https://patchwork.open-mesh.org/project/b.a.t.m.a.n./patch/20210518190027.547508-1-sven@narfation.org/
Updated by Sven Eckelmann over 3 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
Released as part of batman-adv 2021.2 and Linux 5.13
Actions