general protection fault in rt6_fill_node
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: d7223aa5 Merge branch 'l2tp-replace-custom-logging-code-wi..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1399802e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3d400a47d1416652
dashboard link: https://syzkaller.appspot.com/bug?extid=81af6e9b3c4b8bc874f8
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12949b5a900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b60e46900000
The issue was bisected to:
commit 867d03bc238f62fcd28f287b9da8af5e483baeab
Author: Robert Hancock <hancock(a)sedsystems.ca>
Date: Thu Jun 6 22:28:14 2019 +0000
net: axienet: Add DMA registers to ethtool register dump
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1523f266900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1723f266900000
console output: https://syzkaller.appspot.com/x/log.txt?x=1323f266900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+81af6e9b3c4b8bc874f8(a)syzkaller.appspotmail.com
Fixes: 867d03bc238f ("net: axienet: Add DMA registers to ethtool register dump")
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 1 PID: 7050 Comm: syz-executor648 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nexthop_is_blackhole include/net/nexthop.h:240 [inline]
RIP: 0010:rt6_fill_node+0x1396/0x2940 net/ipv6/route.c:5584
Code: 3c 02 00 0f 85 ef 14 00 00 4d 8b 6d 10 e8 f2 1c 87 fa 49 8d bd 80 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 10 15 00 00 4d 8b ad 80 00 00 00 e8 34 4b 06 01
RSP: 0018:ffffc900063672b0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880a88bd800 RCX: ffffffff86ed2456
RDX: 0000000000000010 RSI: ffffffff86ed248e RDI: 0000000000000080
RBP: ffffc900063673e8 R08: 0000000000000001 R09: ffff8880a88bd847
R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880a8ded940
R13: 0000000000000000 R14: ffff8880a899ea00 R15: 0000000000000000
FS: 00000000010e3880(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000000a8efa000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
inet6_rt_notify+0x14c/0x2b0 net/ipv6/route.c:6017
fib6_add_rt2node net/ipv6/ip6_fib.c:1246 [inline]
fib6_add+0x2840/0x3ed0 net/ipv6/ip6_fib.c:1473
__ip6_ins_rt net/ipv6/route.c:1317 [inline]
ip6_route_add+0x8b/0x150 net/ipv6/route.c:3744
inet6_rtm_newroute+0x152/0x160 net/ipv6/route.c:5360
rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
___sys_sendmsg+0xf3/0x170 net/socket.c:2407
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x443ef9
Code: e8 8c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff25138308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443ef9
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 00007fff25138310 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000e25f
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 46e9e8854602a8a3 ]---
RIP: 0010:nexthop_is_blackhole include/net/nexthop.h:240 [inline]
RIP: 0010:rt6_fill_node+0x1396/0x2940 net/ipv6/route.c:5584
Code: 3c 02 00 0f 85 ef 14 00 00 4d 8b 6d 10 e8 f2 1c 87 fa 49 8d bd 80 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 10 15 00 00 4d 8b ad 80 00 00 00 e8 34 4b 06 01
RSP: 0018:ffffc900063672b0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880a88bd800 RCX: ffffffff86ed2456
RDX: 0000000000000010 RSI: ffffffff86ed248e RDI: 0000000000000080
RBP: ffffc900063673e8 R08: 0000000000000001 R09: ffff8880a88bd847
R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880a8ded940
R13: 0000000000000000 R14: ffff8880a899ea00 R15: 0000000000000000
FS: 00000000010e3880(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000000a8efa000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
2 months, 1 week
general protection fault in nexthop_is_blackhole
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: c3d8f220 Merge tag 'kbuild-fixes-v5.9' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c48c96900000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb68b9e8a8cc842f
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c08a2f5cfef635cc3a
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d75e39900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12aea519900000
The issue was bisected to:
commit de47c5d8e11dda678e4354eeb4235e58e92f7cd2
Author: Hariprasad Kelam <hariprasad.kelam(a)gmail.com>
Date: Sat Jun 8 09:00:50 2019 +0000
af_key: make use of BUG_ON macro
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10450972900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12450972900000
console output: https://syzkaller.appspot.com/x/log.txt?x=14450972900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2c08a2f5cfef635cc3a(a)syzkaller.appspotmail.com
Fixes: de47c5d8e11d ("af_key: make use of BUG_ON macro")
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 0 PID: 7050 Comm: syz-executor320 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nexthop_is_blackhole+0x145/0x250 include/net/nexthop.h:240
Code: 4d fa 49 83 c6 10 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 39 f0 8c fa 49 8b 1e 48 83 eb 80 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 1c f0 8c fa 48 8b 1b e8 e4 4e 02
RSP: 0018:ffffc900061172b8 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 0000000000000080 RCX: ffff888091444300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8727dfc7 R09: ffffed1012299e09
R10: ffffed1012299e09 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880919da280 R14: ffff8880a9576610 R15: dffffc0000000000
FS: 0000000001a89880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000000a7555000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rt6_fill_node+0xfe9/0x1f90 net/ipv6/route.c:5584
inet6_rt_notify+0x2ab/0x500 net/ipv6/route.c:6017
fib6_add_rt2node net/ipv6/ip6_fib.c:1246 [inline]
fib6_add+0x203b/0x3bd0 net/ipv6/ip6_fib.c:1473
__ip6_ins_rt net/ipv6/route.c:1317 [inline]
ip6_route_add+0x84/0x120 net/ipv6/route.c:3744
inet6_rtm_newroute+0x22f/0x2150 net/ipv6/route.c:5360
rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5563
netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2470
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1330
netlink_sendmsg+0xa57/0xd70 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0x519/0x800 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x2b1/0x360 net/socket.c:2440
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x443ef9
Code: e8 8c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd64ccd428 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443ef9
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 00007ffd64ccd430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000b6f1
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace e62dc7d3de715e59 ]---
RIP: 0010:nexthop_is_blackhole+0x145/0x250 include/net/nexthop.h:240
Code: 4d fa 49 83 c6 10 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 39 f0 8c fa 49 8b 1e 48 83 eb 80 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 1c f0 8c fa 48 8b 1b e8 e4 4e 02
RSP: 0018:ffffc900061172b8 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 0000000000000080 RCX: ffff888091444300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8727dfc7 R09: ffffed1012299e09
R10: ffffed1012299e09 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880919da280 R14: ffff8880a9576610 R15: dffffc0000000000
FS: 0000000001a89880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000000a7555000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
2 months, 1 week
Is it possible to send all batman-adv traffic through http proxy cache?
by Chuck Ritola
Is it possible to send all batman-adv ethernet traffic through an HTTP
proxy cache such as Squid?
This is for building a fairly large mesh network on amateur radio with
some links having limited bandwidth. To improve performance a proxy
cache would be installed inside each node, which stores to cache any
HTTP responses tagged as cacheable and sniffs for HTTP requests
through said switch for requests matching any cache entry. It then
blocks the request from being forwarded and responds to the request
itself with the cached data.
I'm having difficulty figuring out how to get batman-adv to pass all
of its raw ethernet traffic (presumably with mesh headers removed)
through outside software such as Squid before performing its
switching.
Another consideration was ALFRED but it doesn't appear to be easily
integratable with existing software.
4 months, 2 weeks
[PATCH] batman-adv: bla: fix type misuse for backbone_gw hash indexing
by Linus Lüssing
From: Linus Lüssing <ll(a)simonwunderlich.de>
It seems that due to a copy & paste error the void pointer
in batadv_choose_backbone_gw() is cast to the wrong type.
Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct
batadv_bla_claim" which better matches the caller's side.
For now it seems that we were lucky because the two structs both have
their orig/vid and addr/vid in the beginning. However I stumbled over
this issue when I was trying to add some debug variables in front of
"orig" in batadv_backbone_gw, which caused hash lookups to fail.
Fixes: 7e15c9305ce0 ("batman-adv: don't rely on positions in struct for hashing")
Signed-off-by: Linus Lüssing <ll(a)simonwunderlich.de>
---
net/batman-adv/bridge_loop_avoidance.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index b643dadc..4ba984bf 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -88,11 +88,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size)
*/
static inline u32 batadv_choose_backbone_gw(const void *data, u32 size)
{
- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data;
+ const struct batadv_bla_backbone_gw *gw;
u32 hash = 0;
- hash = jhash(&claim->addr, sizeof(claim->addr), hash);
- hash = jhash(&claim->vid, sizeof(claim->vid), hash);
+ gw = (struct batadv_bla_backbone_gw *)data;
+ hash = jhash(&gw->orig, sizeof(gw->orig), hash);
+ hash = jhash(&gw->vid, sizeof(gw->vid), hash);
return hash % size;
}
--
2.28.0.rc1
4 months, 3 weeks
[PATCH 0/5] pull request for net-next: batman-adv 2020-08-24
by Simon Wunderlich
Hi David,
here is a small cleanup pull request of batman-adv to go into net-next.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-next-for-davem-20200824
for you to fetch changes up to 0093870aa891594d170e1dc9aa192a30d530d755:
batman-adv: Migrate to linux/prandom.h (2020-08-18 19:39:54 +0200)
----------------------------------------------------------------
This cleanup patchset includes the following patches:
- bump version strings, by Simon Wunderlich
- Drop unused function batadv_hardif_remove_interfaces(),
by Sven Eckelmann
- delete duplicated words, by Randy Dunlap
- Drop (even more) repeated words in comments, by Sven Eckelmann
- Migrate to linux/prandom.h, by Sven Eckelmann
----------------------------------------------------------------
Randy Dunlap (1):
batman-adv: types.h: delete duplicated words
Simon Wunderlich (1):
batman-adv: Start new development cycle
Sven Eckelmann (3):
batman-adv: Drop unused function batadv_hardif_remove_interfaces()
batman-adv: Drop repeated words in comments
batman-adv: Migrate to linux/prandom.h
net/batman-adv/bat_iv_ogm.c | 1 +
net/batman-adv/bat_v_elp.c | 1 +
net/batman-adv/bat_v_ogm.c | 1 +
net/batman-adv/bridge_loop_avoidance.c | 2 +-
net/batman-adv/fragmentation.c | 2 +-
net/batman-adv/hard-interface.c | 19 +------------------
net/batman-adv/hard-interface.h | 1 -
net/batman-adv/main.c | 1 -
net/batman-adv/main.h | 2 +-
net/batman-adv/multicast.c | 2 +-
net/batman-adv/network-coding.c | 4 ++--
net/batman-adv/send.c | 2 +-
net/batman-adv/soft-interface.c | 4 ++--
net/batman-adv/types.h | 4 ++--
14 files changed, 15 insertions(+), 31 deletions(-)
4 months, 4 weeks
[PATCH 0/3] pull request for net: batman-adv 2020-08-24
by Simon Wunderlich
Hi David,
here are some bugfixes which we would like to have integrated into net.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-net-for-davem-20200824
for you to fetch changes up to 279e89b2281af3b1a9f04906e157992c19c9f163:
batman-adv: bla: use netif_rx_ni when not in interrupt context (2020-08-18 19:40:03 +0200)
----------------------------------------------------------------
Here are some batman-adv bugfixes:
- Avoid uninitialized memory access when handling DHCP, by Sven Eckelmann
- Fix check for own OGM in OGM receive handler, by Linus Luessing
- Fix netif_rx access for non-interrupt context in BLA, by Jussi Kivilinna
----------------------------------------------------------------
Jussi Kivilinna (1):
batman-adv: bla: use netif_rx_ni when not in interrupt context
Linus Lüssing (1):
batman-adv: Fix own OGM check in aggregated OGMs
Sven Eckelmann (1):
batman-adv: Avoid uninitialized chaddr when handling DHCP
net/batman-adv/bat_v_ogm.c | 11 ++++++-----
net/batman-adv/bridge_loop_avoidance.c | 5 ++++-
net/batman-adv/gateway_client.c | 6 ++++--
3 files changed, 14 insertions(+), 8 deletions(-)
4 months, 4 weeks
[PATCH 0/8] net: batman-adv: delete duplicated words + other fixes
by Randy Dunlap
Drop repeated words in net/batman-adv/.
Cc: Marek Lindner <mareklindner(a)neomailbox.ch>
Cc: Simon Wunderlich <sw(a)simonwunderlich.de>
Cc: Antonio Quartulli <a(a)unstable.cc>
Cc: Sven Eckelmann <sven(a)narfation.org>
Cc: b.a.t.m.a.n(a)lists.open-mesh.org
Cc: "David S. Miller" <davem(a)davemloft.net>
Cc: Jakub Kicinski <kuba(a)kernel.org>
net/batman-adv/bridge_loop_avoidance.c | 2 +-
net/batman-adv/fragmentation.c | 2 +-
net/batman-adv/hard-interface.c | 2 +-
net/batman-adv/multicast.c | 2 +-
net/batman-adv/network-coding.c | 2 +-
net/batman-adv/send.c | 2 +-
net/batman-adv/soft-interface.c | 4 ++--
net/batman-adv/types.h | 4 ++--
8 files changed, 10 insertions(+), 10 deletions(-)
4 months, 4 weeks
[PATCH] batman-adv: bla: use netif_rx_ni when not in interrupt context
by Jussi Kivilinna
batadv_bla_send_claim() gets called from worker thread context through
batadv_bla_periodic_work(), thus netif_rx_ni needs to be used in that
case. This fixes "NOHZ: local_softirq_pending 08" log messages seen
when batman-adv is enabled.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna(a)haltian.com>
---
net/batman-adv/bridge_loop_avoidance.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 5c41cc52bc53..ab6cec3c7586 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -437,7 +437,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac,
batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
skb->len + ETH_HLEN);
- netif_rx(skb);
+ if (in_interrupt())
+ netif_rx(skb);
+ else
+ netif_rx_ni(skb);
out:
if (primary_if)
batadv_hardif_put(primary_if);
--
2.25.1
5 months
inconsistent lock state in sco_sock_timeout
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: 2cc3c4b3 Merge tag 'io_uring-5.9-2020-08-15' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10cf6aa6900000
kernel config: https://syzkaller.appspot.com/x/.config?x=19f02fc5c511a391
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13071491900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ec5be2900000
The issue was bisected to:
commit 331c56ac73846fa267c04ee6aa9a00bb5fed9440
Author: Heiner Kallweit <hkallweit1(a)gmail.com>
Date: Mon Aug 12 21:51:27 2019 +0000
net: phy: add phy_speed_down_core and phy_resolve_min_speed
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1623bea6900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1523bea6900000
console output: https://syzkaller.appspot.com/x/log.txt?x=1123bea6900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2f6d7c28bb4bf7e82060(a)syzkaller.appspotmail.com
Fixes: 331c56ac7384 ("net: phy: add phy_speed_down_core and phy_resolve_min_speed")
================================
WARNING: inconsistent lock state
5.8.0-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff888088b810a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff888088b810a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: sco_sock_timeout+0x2b/0x280 net/bluetooth/sco.c:83
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x160/0x730 kernel/locking/lockdep.c:5005
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
sco_conn_del+0x100/0x710 net/bluetooth/sco.c:176
hci_disconn_cfm include/net/bluetooth/hci_core.h:1438 [inline]
hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1557
hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1770
hci_unregister_dev+0x185/0x1590 net/bluetooth/hci_core.c:3790
vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
__fput+0x34f/0x7b0 fs/file_table.c:281
task_work_run+0x137/0x1c0 kernel/task_work.c:141
exit_task_work include/linux/task_work.h:25 [inline]
do_exit+0x5f3/0x1f20 kernel/exit.c:806
do_group_exit+0x161/0x2d0 kernel/exit.c:903
get_signal+0x13bb/0x1d50 kernel/signal.c:2757
arch_do_signal+0x33/0x610 arch/x86/kernel/signal.c:811
exit_to_user_mode_loop kernel/entry/common.c:135 [inline]
exit_to_user_mode_prepare+0x8d/0x1b0 kernel/entry/common.c:166
syscall_exit_to_user_mode+0x5e/0x1a0 kernel/entry/common.c:241
entry_SYSCALL_64_after_hwframe+0x44/0xa9
irq event stamp: 1760434
hardirqs last enabled at (1760434): [<ffffffff882bbc5f>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last enabled at (1760434): [<ffffffff882bbc5f>] _raw_spin_unlock_irq+0x1f/0x80 kernel/locking/spinlock.c:199
hardirqs last disabled at (1760433): [<ffffffff882bbab1>] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline]
hardirqs last disabled at (1760433): [<ffffffff882bbab1>] _raw_spin_lock_irq+0x41/0x80 kernel/locking/spinlock.c:167
softirqs last enabled at (1760422): [<ffffffff88292264>] sysvec_apic_timer_interrupt+0x14/0xf0 arch/x86/kernel/apic/apic.c:1091
softirqs last disabled at (1760423): [<ffffffff88400f2f>] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
<Interrupt>
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
*** DEADLOCK ***
1 lock held by swapper/1/0:
#0: ffffc90000da8dc0 ((&sk->sk_timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
#0: ffffc90000da8dc0 ((&sk->sk_timer)){+.-.}-{0:0}, at: call_timer_fn+0x57/0x160 kernel/time/timer.c:1403
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
print_usage_bug+0x1117/0x11d0 kernel/locking/lockdep.c:3350
mark_lock_irq arch/x86/include/asm/paravirt.h:661 [inline]
mark_lock+0x10e2/0x1b00 kernel/locking/lockdep.c:4006
mark_usage kernel/locking/lockdep.c:3905 [inline]
__lock_acquire+0xa99/0x2ab0 kernel/locking/lockdep.c:4380
lock_acquire+0x160/0x730 kernel/locking/lockdep.c:5005
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
sco_sock_timeout+0x2b/0x280 net/bluetooth/sco.c:83
call_timer_fn+0x91/0x160 kernel/time/timer.c:1413
expire_timers kernel/time/timer.c:1458 [inline]
__run_timers+0x65e/0x830 kernel/time/timer.c:1755
run_timer_softirq+0x46/0x80 kernel/time/timer.c:1768
__do_softirq+0x236/0x66c kernel/softirq.c:298
asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
do_softirq_own_stack+0x91/0xe0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x1e1/0x1f0 kernel/softirq.c:423
irq_exit_rcu+0x5/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xd5/0xf0 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:tick_nohz_idle_exit+0x2f2/0x3a0 kernel/time/tick-sched.c:1213
Code: 30 00 74 0c 48 c7 c7 08 15 4d 89 e8 f8 0b 4c 00 48 83 3d 48 52 e4 07 00 0f 84 a6 00 00 00 e8 95 37 0c 00 fb 66 0f 1f 44 00 00 <48> 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 7a 37 0c 00 0f 0b
RSP: 0018:ffffc90000d3fe68 EFLAGS: 00000293
RAX: ffffffff8168c2cb RBX: ffff8880ae927f80 RCX: ffff8880a9a3e340
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8168c29a
RBP: 000000b26607d004 R08: ffffffff817abce0 R09: ffffed1015d26c6c
R10: ffffed1015d26c6c R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880ae927f54 R14: dffffc0000000000 R15: 1ffff11015d24fea
do_idle+0x5fe/0x650 kernel/sched/idle.c:289
cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:372
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
5 months