Re: net: BUG in unix_notinflight
On Tue, Mar 7, 2017 at 2:23 PM, Nikolay Borisovwrote: > >>> >>> >>> New report from linux-next/c0b7b2b33bd17f7155956d0338ce92615da686c9 >>> >>> [ cut here ] >>> kernel BUG at net/unix/garbage.c:149! >>> invalid opcode: [#1] SMP KASAN >>> Dumping ftrace buffer: >>>(ftrace buffer empty) >>> Modules linked in: >>> CPU: 0 PID: 1806 Comm: syz-executor7 Not tainted 4.10.0-next-20170303+ #6 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, >>> BIOS Google 01/01/2011 >>> task: 880121c64740 task.stack: 88012c9e8000 >>> RIP: 0010:unix_notinflight+0x417/0x5d0 net/unix/garbage.c:149 >>> RSP: 0018:88012c9ef0f8 EFLAGS: 00010297 >>> RAX: 880121c64740 RBX: 11002593de23 RCX: 8801c490c628 >>> RDX: RSI: 11002593de27 RDI: 8557e504 >>> RBP: 88012c9ef220 R08: 0001 R09: >>> R10: dc00 R11: ed002593de55 R12: 8801c490c0c0 >>> R13: 88012c9ef1f8 R14: 85101620 R15: dc00 >>> FS: 013d3940() GS:8801dbe0() knlGS: >>> CS: 0010 DS: ES: CR0: 80050033 >>> CR2: 01fd8cd8 CR3: 0001cce69000 CR4: 001426f0 >>> Call Trace: >>> unix_detach_fds.isra.23+0xfa/0x170 net/unix/af_unix.c:1490 >>> unix_destruct_scm+0xf4/0x200 net/unix/af_unix.c:1499 >> >> The problem here is there is no lock protecting concurrent unix_detach_fds() >> even though unix_notinflight() is already serialized, if we call >> unix_notinflight() >> twice on the same file pointer, we trigger this bug... >> >> I don't know what is the right lock here to serialize it. >> > > > I reported something similar a while ago > https://lists.gt.net/linux/kernel/2534612 > > And Miklos Szeredi then produced the following patch : > > https://patchwork.kernel.org/patch/9305121/ > > However, this was never applied. I wonder if the patch makes sense? I doubt it is the same case. According to Miklos' description, the case he tried to fix is MSG_PEEK, but Dmitry's test case does not set it... They are different problems probably.
Re: net: BUG in unix_notinflight
On Tue, Mar 7, 2017 at 12:37 AM, Dmitry Vyukovwrote: > On Mon, Mar 6, 2017 at 11:34 PM, Cong Wang wrote: >> The problem here is there is no lock protecting concurrent unix_detach_fds() >> even though unix_notinflight() is already serialized, if we call >> unix_notinflight() >> twice on the same file pointer, we trigger this bug... >> >> I don't know what is the right lock here to serialize it. > > > What exactly here needs to be protected? > > 1484 static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) > 1485 { > 1486 int i; > 1487 > 1488 scm->fp = UNIXCB(skb).fp; > 1489 UNIXCB(skb).fp = NULL; > 1490 > 1491 for (i = scm->fp->count-1; i >= 0; i--) > 1492 unix_notinflight(scm->fp->user, scm->fp->fp[i]); > 1493 } > > Whole unix_notinflight happens under global unix_gc_lock. > > Is it that 2 threads call unix_detach_fds for the same skb, and then > call unix_notinflight for the same fd twice? Not the same skb, but their UNIXCB(skb).fp points to the same place, therefore we call unix_notinflight() twice on the same fp->user and fp->fp[i], although we have refcounting but still able to trigger this warning.
Re: net: BUG in unix_notinflight
On Wed, Mar 08, 2017 at 12:23:56AM +0200, Nikolay Borisov wrote: > > >> > >> > >> New report from linux-next/c0b7b2b33bd17f7155956d0338ce92615da686c9 > >> > >> [ cut here ] > >> kernel BUG at net/unix/garbage.c:149! > >> invalid opcode: [#1] SMP KASAN > >> Dumping ftrace buffer: > >>(ftrace buffer empty) > >> Modules linked in: > >> CPU: 0 PID: 1806 Comm: syz-executor7 Not tainted 4.10.0-next-20170303+ #6 > >> Hardware name: Google Google Compute Engine/Google Compute Engine, > >> BIOS Google 01/01/2011 > >> task: 880121c64740 task.stack: 88012c9e8000 > >> RIP: 0010:unix_notinflight+0x417/0x5d0 net/unix/garbage.c:149 > >> RSP: 0018:88012c9ef0f8 EFLAGS: 00010297 > >> RAX: 880121c64740 RBX: 11002593de23 RCX: 8801c490c628 > >> RDX: RSI: 11002593de27 RDI: 8557e504 > >> RBP: 88012c9ef220 R08: 0001 R09: > >> R10: dc00 R11: ed002593de55 R12: 8801c490c0c0 > >> R13: 88012c9ef1f8 R14: 85101620 R15: dc00 > >> FS: 013d3940() GS:8801dbe0() > >> knlGS: > >> CS: 0010 DS: ES: CR0: 80050033 > >> CR2: 01fd8cd8 CR3: 0001cce69000 CR4: 001426f0 > >> Call Trace: > >> unix_detach_fds.isra.23+0xfa/0x170 net/unix/af_unix.c:1490 > >> unix_destruct_scm+0xf4/0x200 net/unix/af_unix.c:1499 > > > > The problem here is there is no lock protecting concurrent unix_detach_fds() > > even though unix_notinflight() is already serialized, if we call > > unix_notinflight() > > twice on the same file pointer, we trigger this bug... > > > > I don't know what is the right lock here to serialize it. > > > > > I reported something similar a while ago > https://lists.gt.net/linux/kernel/2534612 > > And Miklos Szeredi then produced the following patch : > > https://patchwork.kernel.org/patch/9305121/ > > However, this was never applied. I wonder if the patch makes sense? I don't know but there's a hint at the bottom of the thread with Davem's response to which there was no followup : "Why would I apply a patch that's an RFC, doesn't have a proper commit message, lacks a proper signoff, and also lacks ACK's and feedback from other knowledgable developers?" So at least this point makes sense, maybe the patch is fine but was not sufficiently reviewed or acked ? Maybe it was proposed as an RFC to start a discussion and never went to the final status of a patch waiting for being applied ? Willy
Re: net: BUG in unix_notinflight
>> >> >> New report from linux-next/c0b7b2b33bd17f7155956d0338ce92615da686c9 >> >> [ cut here ] >> kernel BUG at net/unix/garbage.c:149! >> invalid opcode: [#1] SMP KASAN >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Modules linked in: >> CPU: 0 PID: 1806 Comm: syz-executor7 Not tainted 4.10.0-next-20170303+ #6 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 01/01/2011 >> task: 880121c64740 task.stack: 88012c9e8000 >> RIP: 0010:unix_notinflight+0x417/0x5d0 net/unix/garbage.c:149 >> RSP: 0018:88012c9ef0f8 EFLAGS: 00010297 >> RAX: 880121c64740 RBX: 11002593de23 RCX: 8801c490c628 >> RDX: RSI: 11002593de27 RDI: 8557e504 >> RBP: 88012c9ef220 R08: 0001 R09: >> R10: dc00 R11: ed002593de55 R12: 8801c490c0c0 >> R13: 88012c9ef1f8 R14: 85101620 R15: dc00 >> FS: 013d3940() GS:8801dbe0() knlGS: >> CS: 0010 DS: ES: CR0: 80050033 >> CR2: 01fd8cd8 CR3: 0001cce69000 CR4: 001426f0 >> Call Trace: >> unix_detach_fds.isra.23+0xfa/0x170 net/unix/af_unix.c:1490 >> unix_destruct_scm+0xf4/0x200 net/unix/af_unix.c:1499 > > The problem here is there is no lock protecting concurrent unix_detach_fds() > even though unix_notinflight() is already serialized, if we call > unix_notinflight() > twice on the same file pointer, we trigger this bug... > > I don't know what is the right lock here to serialize it. > I reported something similar a while ago https://lists.gt.net/linux/kernel/2534612 And Miklos Szeredi then produced the following patch : https://patchwork.kernel.org/patch/9305121/ However, this was never applied. I wonder if the patch makes sense?
Re: net: BUG in unix_notinflight
On Mon, Mar 6, 2017 at 11:34 PM, Cong Wangwrote: > On Mon, Mar 6, 2017 at 2:40 AM, Dmitry Vyukov wrote: >> Now with a nice single-threaded C reproducer! > > Excellent... > >> >> // autogenerated by syzkaller (http://github.com/google/syzkaller) >> #define _GNU_SOURCE >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> >> void test() >> { >> long r[54]; >> memset(r, -1, sizeof(r)); >> syscall(__NR_mmap, 0x2000ul, 0xfff000ul, 0x3ul, 0x32ul, -1, 0); >> r[1] = syscall(__NR_socketpair, 0x1ul, 0x5ul, 0x0ul, 0x20521ff8ul); >> r[2] = *(uint32_t*)0x20521ff8; >> r[3] = *(uint32_t*)0x20521ffc; >> r[5] = syscall(__NR_open, "/dev/net/tun", 0x20ul); >> r[6] = syscall(__NR_socketpair, 0x1ul, 0x5ul, 0x0ul, >> 0x20d85000ul, 0, 0, 0, 0, 0); >> r[7] = *(uint32_t*)0x20d85000; >> (*(uint64_t*)0x2fc8 = (uint64_t)0x2000); >> (*(uint32_t*)0x2fd0 = (uint32_t)0xa); >> (*(uint64_t*)0x2fd8 = (uint64_t)0x2005d000); >> (*(uint64_t*)0x2fe0 = (uint64_t)0x8); >> (*(uint64_t*)0x2fe8 = (uint64_t)0x2ff0); >> (*(uint64_t*)0x2ff0 = (uint64_t)0x1); >> (*(uint32_t*)0x2ff8 = (uint32_t)0x0); >> (*(uint16_t*)0x2000 = (uint16_t)0x1); >> memcpy((void*)0x2002, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); >> (*(uint64_t*)0x2005d000 = (uint64_t)0x20784f06); >> (*(uint64_t*)0x2005d008 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d010 = (uint64_t)0x209a5f78); >> (*(uint64_t*)0x2005d018 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d020 = (uint64_t)0x20ec3ffc); >> (*(uint64_t*)0x2005d028 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d030 = (uint64_t)0x2057e000); >> (*(uint64_t*)0x2005d038 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d040 = (uint64_t)0x200c9f9d); >> (*(uint64_t*)0x2005d048 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d050 = (uint64_t)0x20331000); >> (*(uint64_t*)0x2005d058 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d060 = (uint64_t)0x206a1f7b); >> (*(uint64_t*)0x2005d068 = (uint64_t)0x0); >> (*(uint64_t*)0x2005d070 = (uint64_t)0x20e7f000); >> (*(uint64_t*)0x2005d078 = (uint64_t)0x0); >> (*(uint64_t*)0x2ff0 = (uint64_t)0x18); >> (*(uint32_t*)0x2ff8 = (uint32_t)0x1); >> (*(uint32_t*)0x2ffc = (uint32_t)0x1); >> (*(uint32_t*)0x20001000 = r[5]); >> (*(uint32_t*)0x20001004 = r[7]); >> syscall(__NR_sendmsg, r[7], 0x2fc8ul, 0x0ul); >> (*(uint64_t*)0x2fc8 = (uint64_t)0x2000); >> (*(uint32_t*)0x2fd0 = (uint32_t)0x8); >> (*(uint64_t*)0x2fd8 = (uint64_t)0x20026000); >> (*(uint64_t*)0x2fe0 = (uint64_t)0x0); >> (*(uint64_t*)0x2fe8 = (uint64_t)0x2ff0); >> (*(uint64_t*)0x2ff0 = (uint64_t)0x1); >> (*(uint32_t*)0x2ff8 = (uint32_t)0x0); >> (*(uint16_t*)0x2000 = (uint16_t)0x0); >> (*(uint8_t*)0x2002 = (uint8_t)0x0); >> (*(uint32_t*)0x2004 = (uint32_t)0x4e20); >> (*(uint64_t*)0x2ff0 = (uint64_t)0x18); >> (*(uint32_t*)0x2ff8 = (uint32_t)0x1); >> (*(uint32_t*)0x2ffc = (uint32_t)0x1); >> (*(uint32_t*)0x20001000 = r[2]); >> syscall(__NR_sendmsg, r[3], 0x2fc8ul, 0x0ul); >> } >> >> int main() >> { >> int i, pid, status; >> for (i = 0; i < 4; i++) { >> if (fork() == 0) { >> for (;;) { >> pid = fork(); >> if (pid == 0) { >> test(); >> exit(0); >> } >> while (waitpid(pid, , __WALL) != pid) {} >> } >> } >> } >> sleep(100); >> return 0; >> } >> >> >> >> New report from linux-next/c0b7b2b33bd17f7155956d0338ce92615da686c9 >> >> [ cut here ] >> kernel BUG at net/unix/garbage.c:149! >> invalid opcode: [#1] SMP KASAN >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Modules linked in: >> CPU: 0 PID: 1806 Comm: syz-executor7 Not tainted 4.10.0-next-20170303+ #6 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 01/01/2011 >> task: 880121c64740 task.stack: 88012c9e8000 >> RIP: 0010:unix_notinflight+0x417/0x5d0 net/unix/garbage.c:149 >> RSP: 0018:88012c9ef0f8 EFLAGS: 00010297 >> RAX: 880121c64740 RBX: 11002593de23 RCX: 8801c490c628 >> RDX: RSI: 11002593de27 RDI: 8557e504 >> RBP: 88012c9ef220 R08: 0001 R09: >> R10: dc00 R11: ed002593de55 R12: 8801c490c0c0 >> R13: 88012c9ef1f8 R14: 85101620 R15: dc00 >> FS: 013d3940() GS:8801dbe0() knlGS: >> CS: 0010 DS: ES: CR0: 80050033 >> CR2: 01fd8cd8 CR3: 0001cce69000 CR4: 001426f0 >> Call Trace: >> unix_detach_fds.isra.23+0xfa/0x170 net/unix/af_unix.c:1490 >> unix_destruct_scm+0xf4/0x200 net/unix/af_unix.c:1499 > > The problem here is there is no lock protecting concurrent unix_detach_fds() > even though unix_notinflight() is already serialized, if we
Re: net: BUG in unix_notinflight
On Mon, Mar 6, 2017 at 2:40 AM, Dmitry Vyukovwrote: > Now with a nice single-threaded C reproducer! Excellent... > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > #include > #include > > void test() > { > long r[54]; > memset(r, -1, sizeof(r)); > syscall(__NR_mmap, 0x2000ul, 0xfff000ul, 0x3ul, 0x32ul, -1, 0); > r[1] = syscall(__NR_socketpair, 0x1ul, 0x5ul, 0x0ul, 0x20521ff8ul); > r[2] = *(uint32_t*)0x20521ff8; > r[3] = *(uint32_t*)0x20521ffc; > r[5] = syscall(__NR_open, "/dev/net/tun", 0x20ul); > r[6] = syscall(__NR_socketpair, 0x1ul, 0x5ul, 0x0ul, > 0x20d85000ul, 0, 0, 0, 0, 0); > r[7] = *(uint32_t*)0x20d85000; > (*(uint64_t*)0x2fc8 = (uint64_t)0x2000); > (*(uint32_t*)0x2fd0 = (uint32_t)0xa); > (*(uint64_t*)0x2fd8 = (uint64_t)0x2005d000); > (*(uint64_t*)0x2fe0 = (uint64_t)0x8); > (*(uint64_t*)0x2fe8 = (uint64_t)0x2ff0); > (*(uint64_t*)0x2ff0 = (uint64_t)0x1); > (*(uint32_t*)0x2ff8 = (uint32_t)0x0); > (*(uint16_t*)0x2000 = (uint16_t)0x1); > memcpy((void*)0x2002, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); > (*(uint64_t*)0x2005d000 = (uint64_t)0x20784f06); > (*(uint64_t*)0x2005d008 = (uint64_t)0x0); > (*(uint64_t*)0x2005d010 = (uint64_t)0x209a5f78); > (*(uint64_t*)0x2005d018 = (uint64_t)0x0); > (*(uint64_t*)0x2005d020 = (uint64_t)0x20ec3ffc); > (*(uint64_t*)0x2005d028 = (uint64_t)0x0); > (*(uint64_t*)0x2005d030 = (uint64_t)0x2057e000); > (*(uint64_t*)0x2005d038 = (uint64_t)0x0); > (*(uint64_t*)0x2005d040 = (uint64_t)0x200c9f9d); > (*(uint64_t*)0x2005d048 = (uint64_t)0x0); > (*(uint64_t*)0x2005d050 = (uint64_t)0x20331000); > (*(uint64_t*)0x2005d058 = (uint64_t)0x0); > (*(uint64_t*)0x2005d060 = (uint64_t)0x206a1f7b); > (*(uint64_t*)0x2005d068 = (uint64_t)0x0); > (*(uint64_t*)0x2005d070 = (uint64_t)0x20e7f000); > (*(uint64_t*)0x2005d078 = (uint64_t)0x0); > (*(uint64_t*)0x2ff0 = (uint64_t)0x18); > (*(uint32_t*)0x2ff8 = (uint32_t)0x1); > (*(uint32_t*)0x2ffc = (uint32_t)0x1); > (*(uint32_t*)0x20001000 = r[5]); > (*(uint32_t*)0x20001004 = r[7]); > syscall(__NR_sendmsg, r[7], 0x2fc8ul, 0x0ul); > (*(uint64_t*)0x2fc8 = (uint64_t)0x2000); > (*(uint32_t*)0x2fd0 = (uint32_t)0x8); > (*(uint64_t*)0x2fd8 = (uint64_t)0x20026000); > (*(uint64_t*)0x2fe0 = (uint64_t)0x0); > (*(uint64_t*)0x2fe8 = (uint64_t)0x2ff0); > (*(uint64_t*)0x2ff0 = (uint64_t)0x1); > (*(uint32_t*)0x2ff8 = (uint32_t)0x0); > (*(uint16_t*)0x2000 = (uint16_t)0x0); > (*(uint8_t*)0x2002 = (uint8_t)0x0); > (*(uint32_t*)0x2004 = (uint32_t)0x4e20); > (*(uint64_t*)0x2ff0 = (uint64_t)0x18); > (*(uint32_t*)0x2ff8 = (uint32_t)0x1); > (*(uint32_t*)0x2ffc = (uint32_t)0x1); > (*(uint32_t*)0x20001000 = r[2]); > syscall(__NR_sendmsg, r[3], 0x2fc8ul, 0x0ul); > } > > int main() > { > int i, pid, status; > for (i = 0; i < 4; i++) { > if (fork() == 0) { > for (;;) { > pid = fork(); > if (pid == 0) { > test(); > exit(0); > } > while (waitpid(pid, , __WALL) != pid) {} > } > } > } > sleep(100); > return 0; > } > > > > New report from linux-next/c0b7b2b33bd17f7155956d0338ce92615da686c9 > > [ cut here ] > kernel BUG at net/unix/garbage.c:149! > invalid opcode: [#1] SMP KASAN > Dumping ftrace buffer: >(ftrace buffer empty) > Modules linked in: > CPU: 0 PID: 1806 Comm: syz-executor7 Not tainted 4.10.0-next-20170303+ #6 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 01/01/2011 > task: 880121c64740 task.stack: 88012c9e8000 > RIP: 0010:unix_notinflight+0x417/0x5d0 net/unix/garbage.c:149 > RSP: 0018:88012c9ef0f8 EFLAGS: 00010297 > RAX: 880121c64740 RBX: 11002593de23 RCX: 8801c490c628 > RDX: RSI: 11002593de27 RDI: 8557e504 > RBP: 88012c9ef220 R08: 0001 R09: > R10: dc00 R11: ed002593de55 R12: 8801c490c0c0 > R13: 88012c9ef1f8 R14: 85101620 R15: dc00 > FS: 013d3940() GS:8801dbe0() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 01fd8cd8 CR3: 0001cce69000 CR4: 001426f0 > Call Trace: > unix_detach_fds.isra.23+0xfa/0x170 net/unix/af_unix.c:1490 > unix_destruct_scm+0xf4/0x200 net/unix/af_unix.c:1499 The problem here is there is no lock protecting concurrent unix_detach_fds() even though unix_notinflight() is already serialized, if we call unix_notinflight() twice on the same file pointer, we trigger this bug... I don't know what is the right lock here to serialize it.
Re: net: BUG in unix_notinflight
On Sat, Nov 26, 2016 at 7:05 PM, Dmitry Vyukovwrote: > Hello, > > I am hitting the following BUG while running syzkaller fuzzer: > > kernel BUG at net/unix/garbage.c:149! > invalid opcode: [#1] SMP DEBUG_PAGEALLOC KASAN > Dumping ftrace buffer: >(ftrace buffer empty) > Modules linked in: > CPU: 0 PID: 23491 Comm: syz-executor Not tainted 4.9.0-rc5+ #41 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 01/01/2011 > task: 8801c16b06c0 task.stack: 8801c2928000 > RIP: 0010:[] [] > unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 > RSP: 0018:8801c292ea40 EFLAGS: 00010297 > RAX: 8801c16b06c0 RBX: 110038525d4a RCX: dc00 > RDX: RSI: 110038525d4e RDI: 8a6e9d84 > RBP: 8801c292eb18 R08: R09: > R10: cdca594876e035a1 R11: 0005 R12: 110038525d4e > R13: 899156e0 R14: 8801c292eaf0 R15: 88018b7cd780 > FS: 7f10420fa700() GS:8801d980() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 2000a000 CR3: 0001c2ecc000 CR4: 001406f0 > DR0: DR1: 0400 DR2: > DR3: DR6: 0ff0 DR7: 0600 > Stack: > dc00 88019f036970 41b58ab3 894c5120 > 8717e840 8801c16b06c0 88018b7cdcf0 894c51e2 > 81576d50 1100 > Call Trace: > [] unix_detach_fds.isra.19+0xff/0x170 > net/unix/af_unix.c:1487 > [] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496 > [] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655 > [] skb_release_all+0x1a/0x60 net/core/skbuff.c:668 > [] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684 > [] kfree_skb+0x184/0x570 net/core/skbuff.c:705 > [] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559 > [] unix_release+0x49/0x90 net/unix/af_unix.c:836 > [] sock_release+0x92/0x1f0 net/socket.c:570 > [] sock_close+0x1b/0x20 net/socket.c:1017 > [] __fput+0x34e/0x910 fs/file_table.c:208 > [] fput+0x1a/0x20 fs/file_table.c:244 > [] task_work_run+0x1a0/0x280 kernel/task_work.c:116 > [< inline >] exit_task_work include/linux/task_work.h:21 > [] do_exit+0x183a/0x2640 kernel/exit.c:828 > [] do_group_exit+0x14e/0x420 kernel/exit.c:931 > [] get_signal+0x663/0x1880 kernel/signal.c:2307 > [] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807 > [] exit_to_usermode_loop+0x1ea/0x2d0 > arch/x86/entry/common.c:156 > [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 > [] syscall_return_slowpath+0x4d3/0x570 > arch/x86/entry/common.c:259 > [] entry_SYSCALL_64_fastpath+0xc4/0xc6 > Code: df 49 89 87 70 05 00 00 41 c6 04 14 f8 48 89 f9 48 c1 e9 03 80 > 3c 11 00 75 64 49 89 87 78 05 00 00 e9 65 ff ff ff e8 ac 94 56 fa <0f> > 0b 48 89 d7 48 89 95 30 ff ff ff e8 bb 22 87 fa 48 8b 95 30 > RIP [] unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 > RSP > ---[ end trace 4cbbd52674b68dab ]--- > > > On commit 16ae16c6e5616c084168740990fc508bda6655d4 (Nov 24). > Unfortunately this is not reproducible outside of syzkaller. > But easily reproducible with syzkaller. If you need to reproduce it, > follow instructions described here: > https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs > With the following as the program: > > mmap(&(0x7f00/0xdd5000)=nil, (0xdd5000), 0x3, 0x32, > 0x, 0x0) > socketpair$unix(0x1, 0x5, 0x0,
net: BUG in unix_notinflight
Hello, I am hitting the following BUG while running syzkaller fuzzer: kernel BUG at net/unix/garbage.c:149! invalid opcode: [#1] SMP DEBUG_PAGEALLOC KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 23491 Comm: syz-executor Not tainted 4.9.0-rc5+ #41 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: 8801c16b06c0 task.stack: 8801c2928000 RIP: 0010:[] [] unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 RSP: 0018:8801c292ea40 EFLAGS: 00010297 RAX: 8801c16b06c0 RBX: 110038525d4a RCX: dc00 RDX: RSI: 110038525d4e RDI: 8a6e9d84 RBP: 8801c292eb18 R08: R09: R10: cdca594876e035a1 R11: 0005 R12: 110038525d4e R13: 899156e0 R14: 8801c292eaf0 R15: 88018b7cd780 FS: 7f10420fa700() GS:8801d980() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2000a000 CR3: 0001c2ecc000 CR4: 001406f0 DR0: DR1: 0400 DR2: DR3: DR6: 0ff0 DR7: 0600 Stack: dc00 88019f036970 41b58ab3 894c5120 8717e840 8801c16b06c0 88018b7cdcf0 894c51e2 81576d50 1100 Call Trace: [] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487 [] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496 [] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655 [] skb_release_all+0x1a/0x60 net/core/skbuff.c:668 [] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684 [] kfree_skb+0x184/0x570 net/core/skbuff.c:705 [] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559 [] unix_release+0x49/0x90 net/unix/af_unix.c:836 [] sock_release+0x92/0x1f0 net/socket.c:570 [] sock_close+0x1b/0x20 net/socket.c:1017 [] __fput+0x34e/0x910 fs/file_table.c:208 [] fput+0x1a/0x20 fs/file_table.c:244 [] task_work_run+0x1a0/0x280 kernel/task_work.c:116 [< inline >] exit_task_work include/linux/task_work.h:21 [] do_exit+0x183a/0x2640 kernel/exit.c:828 [] do_group_exit+0x14e/0x420 kernel/exit.c:931 [] get_signal+0x663/0x1880 kernel/signal.c:2307 [] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0x1ea/0x2d0 arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [] syscall_return_slowpath+0x4d3/0x570 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Code: df 49 89 87 70 05 00 00 41 c6 04 14 f8 48 89 f9 48 c1 e9 03 80 3c 11 00 75 64 49 89 87 78 05 00 00 e9 65 ff ff ff e8 ac 94 56 fa <0f> 0b 48 89 d7 48 89 95 30 ff ff ff e8 bb 22 87 fa 48 8b 95 30 RIP [] unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 RSP ---[ end trace 4cbbd52674b68dab ]--- On commit 16ae16c6e5616c084168740990fc508bda6655d4 (Nov 24). Unfortunately this is not reproducible outside of syzkaller. But easily reproducible with syzkaller. If you need to reproduce it, follow instructions described here: https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs With the following as the program: mmap(&(0x7f00/0xdd5000)=nil, (0xdd5000), 0x3, 0x32, 0x, 0x0) socketpair$unix(0x1, 0x5, 0x0,