Bug #401
closed
Forward packet code causes WARNING (followed by reboot)
Added by Sven Eckelmann about 5 years ago.
Updated over 3 years ago.
Description
@Linus, the syzcall project found following problem:
Hello,
syzbot found the following crash on:
HEAD commit: da940012 Merge tag 'char-misc-5.4-rc3' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ffd808e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d2fd92a28d3e50
dashboard link: https://syzkaller.appspot.com/bug?extid=c0b807de416427ff3dd1
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141ffd77600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11edd580e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 30 at net/batman-adv/bat_iv_ogm.c:382
batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:382 [inline]
WARNING: CPU: 1 PID: 30 at net/batman-adv/bat_iv_ogm.c:382
batadv_iv_send_outstanding_bat_ogm_packet+0x6b4/0x770
net/batman-adv/bat_iv_ogm.c:1663
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 30 Comm: kworker/u4:2 Not tainted 5.4.0-rc2+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
panic+0x264/0x7a9 kernel/panic.c:221
__warn+0x20e/0x210 kernel/panic.c:582
report_bug+0x1b6/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:179 [inline]
do_error_trap+0xd7/0x440 arch/x86/kernel/traps.c:272
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:382 [inline]
RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x6b4/0x770
net/batman-adv/bat_iv_ogm.c:1663
Code: 66 05 00 eb 05 e8 9c 48 23 fa 48 83 c4 68 5b 41 5c 41 5d 41 5e 41 5f
5d c3 e8 88 48 23 fa 0f 0b e9 34 ff ff ff e8 7c 48 23 fa <0f> 0b e9 28 ff
ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c1 f9 ff
RSP: 0018:ffff8880a9abfc48 EFLAGS: 00010293
RAX: ffffffff874fe8a4 RBX: ffff888094160870 RCX: ffff8880a9ab2080
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff8880a9abfcd8 R08: ffffffff874fe28e R09: ffffed10123e6969
R10: ffffed10123e6969 R11: 0000000000000000 R12: ffff888091f34000
R13: dffffc0000000000 R14: ffff8880a80c5000 R15: ffff8880a4481400
process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
They also send following information (which might be bogus because they tried to bisect a race condition):
syzbot has bisected this bug to:
commit 26d051e301f67cdd2ea3404abb43902f13214efa
Author: Arvind Yadav <arvind.yadav.cs@gmail.com>
Date: Thu Jun 29 08:21:35 2017 +0000
media: exynos4-is: fimc-is-i2c: constify dev_pm_ops structures
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a0aff0e00000
start commit: da940012 Merge tag 'char-misc-5.4-rc3' of git://git.kernel..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=12a0aff0e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14a0aff0e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d2fd92a28d3e50
dashboard link: https://syzkaller.appspot.com/bug?extid=c0b807de416427ff3dd1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141ffd77600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11edd580e00000
Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
Fixes: 26d051e301f6 ("media: exynos4-is: fimc-is-i2c: constify dev_pm_ops
structures")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
This is the relevant code:
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 367) /* send a batman ogm packet */
0272a5adb bat_iv_ogm.c (Sven Eckelmann 2012-06-05 22:31:31 +0200 368) static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 369) {
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 370) struct net_device *soft_iface;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 371)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 372) if (!forw_packet->if_incoming) {
a112eaab4 bat_iv_ogm.c (Sven Eckelmann 2012-03-07 09:07:45 +0100 373) pr_err("Error - can't forward packet: incoming iface not specified\n");
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 374) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 375) }
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 376)
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 377) soft_iface = forw_packet->if_incoming->soft_iface;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 378)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 379) if (WARN_ON(!forw_packet->if_outgoing))
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 380) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 381)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 382) if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 383) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 384)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 385) if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
7395e6466 net/batman-adv/bat_iv_ogm.c (Linus Lüssing 2016-06-14 22:56:50 +0200 386) return;
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 387)
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 388) /* only for one specific outgoing interface */
29b9256e6 bat_iv_ogm.c (Simon Wunderlich 2013-11-13 19:14:49 +0100 389) batadv_iv_ogm_send_to_if(forw_packet, forw_packet->if_outgoing);
e60d5c11f bat_iv_ogm.c (Marek Lindner 2011-08-03 09:09:30 +0200 390) }
We should check whether the softif of the outgoing hardif was really changed by the reproducer. And in this case figure out what we should do in this case. If it is expected then don't do a WARN_ON. If it is not then fix the race condition properly.
- Status changed from New to In Progress
- Target version set to 2021.2
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
Released as part of batman-adv 2021.2 and Linux 5.13
Also available in: Atom
PDF