Re: BUG: free active (active state 0) object type: work_struct hint: strp_work
On Tue, Feb 13, 2018 at 12:15 PM, Dmitry Vyukov wrote: > > On Thu, Jan 4, 2018 at 8:36 PM, Tom Herbert wrote: > > On Thu, Jan 4, 2018 at 4:10 AM, syzbot > > wrote: > >> Hello, > >> > >> syzkaller hit the following crash on > >> 6bb8824732f69de0f233ae6b1a8158e149627b38 > >> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > >> compiler: gcc (GCC) 7.1.1 20170620 > >> .config is attached > >> Raw console output is attached. > >> Unfortunately, I don't have any reproducer for this bug yet. > >> > >> > >> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >> Reported-by: syzbot+3c6c745b0d2f341bb...@syzkaller.appspotmail.com > >> It will help syzbot understand when the bug is fixed. See footer for > >> details. > >> If you forward the report, please keep this part and the footer. > >> > >> Use struct sctp_assoc_value instead > >> sctp: [Deprecated]: syz-executor4 (pid 12483) Use of int in maxseg socket > >> option. > >> Use struct sctp_assoc_value instead > >> [ cut here ] > >> ODEBUG: free active (active state 0) object type: work_struct hint: > >> strp_work+0x0/0xf0 net/strparser/strparser.c:381 > >> WARNING: CPU: 1 PID: 3502 at lib/debugobjects.c:291 > >> debug_print_object+0x166/0x220 lib/debugobjects.c:288 > >> Kernel panic - not syncing: panic_on_warn set ... > >> > >> CPU: 1 PID: 3502 Comm: kworker/u4:4 Not tainted 4.15.0-rc5+ #170 > >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > >> Google 01/01/2011 > >> Workqueue: kkcmd kcm_tx_work > >> Call Trace: > >> __dump_stack lib/dump_stack.c:17 [inline] > >> dump_stack+0x194/0x257 lib/dump_stack.c:53 > >> panic+0x1e4/0x41c kernel/panic.c:183 > >> __warn+0x1dc/0x200 kernel/panic.c:547 > >> report_bug+0x211/0x2d0 lib/bug.c:184 > >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 > >> fixup_bug arch/x86/kernel/traps.c:247 [inline] > >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 > >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 > >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1061 > >> RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288 > >> RSP: 0018:8801c0ee7068 EFLAGS: 00010086 > >> RAX: dc08 RBX: 0003 RCX: 8159bc3e > >> RDX: RSI: 1100381dcdc8 RDI: 8801db317dd0 > >> RBP: 8801c0ee70a8 R08: R09: 1100381dcd9a > >> R10: ed00381dce3c R11: 86137ad8 R12: 0001 > >> R13: 86113480 R14: 8560dc40 R15: 8146e5f0 > >> __debug_check_no_obj_freed lib/debugobjects.c:745 [inline] > >> debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774 > >> kmem_cache_free+0x253/0x2a0 mm/slab.c:3745 > > > > I believe we just need to defer kmem_cache_free to call_rcu. > > > Hi Tom, > > Was this ever submitted? I don't any such change in net/kcm/kcmsock.c. Hi Dmitry, I am looking at it. Not yet convinced that call_rcu is right fix. Tom
Re: BUG: free active (active state 0) object type: work_struct hint: strp_work
On Thu, Jan 4, 2018 at 8:36 PM, Tom Herbert wrote: > On Thu, Jan 4, 2018 at 4:10 AM, syzbot > wrote: >> Hello, >> >> syzkaller hit the following crash on >> 6bb8824732f69de0f233ae6b1a8158e149627b38 >> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> Unfortunately, I don't have any reproducer for this bug yet. >> >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+3c6c745b0d2f341bb...@syzkaller.appspotmail.com >> It will help syzbot understand when the bug is fixed. See footer for >> details. >> If you forward the report, please keep this part and the footer. >> >> Use struct sctp_assoc_value instead >> sctp: [Deprecated]: syz-executor4 (pid 12483) Use of int in maxseg socket >> option. >> Use struct sctp_assoc_value instead >> [ cut here ] >> ODEBUG: free active (active state 0) object type: work_struct hint: >> strp_work+0x0/0xf0 net/strparser/strparser.c:381 >> WARNING: CPU: 1 PID: 3502 at lib/debugobjects.c:291 >> debug_print_object+0x166/0x220 lib/debugobjects.c:288 >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 1 PID: 3502 Comm: kworker/u4:4 Not tainted 4.15.0-rc5+ #170 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Workqueue: kkcmd kcm_tx_work >> Call Trace: >> __dump_stack lib/dump_stack.c:17 [inline] >> dump_stack+0x194/0x257 lib/dump_stack.c:53 >> panic+0x1e4/0x41c kernel/panic.c:183 >> __warn+0x1dc/0x200 kernel/panic.c:547 >> report_bug+0x211/0x2d0 lib/bug.c:184 >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 >> fixup_bug arch/x86/kernel/traps.c:247 [inline] >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1061 >> RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288 >> RSP: 0018:8801c0ee7068 EFLAGS: 00010086 >> RAX: dc08 RBX: 0003 RCX: 8159bc3e >> RDX: RSI: 1100381dcdc8 RDI: 8801db317dd0 >> RBP: 8801c0ee70a8 R08: R09: 1100381dcd9a >> R10: ed00381dce3c R11: 86137ad8 R12: 0001 >> R13: 86113480 R14: 8560dc40 R15: 8146e5f0 >> __debug_check_no_obj_freed lib/debugobjects.c:745 [inline] >> debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774 >> kmem_cache_free+0x253/0x2a0 mm/slab.c:3745 > > I believe we just need to defer kmem_cache_free to call_rcu. Hi Tom, Was this ever submitted? I don't any such change in net/kcm/kcmsock.c.
Re: BUG: free active (active state 0) object type: work_struct hint: strp_work
On Thu, Jan 4, 2018 at 4:10 AM, syzbot
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 6bb8824732f69de0f233ae6b1a8158e149627b38
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+3c6c745b0d2f341bb...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> Use struct sctp_assoc_value instead
> sctp: [Deprecated]: syz-executor4 (pid 12483) Use of int in maxseg socket
> option.
> Use struct sctp_assoc_value instead
> [ cut here ]
> ODEBUG: free active (active state 0) object type: work_struct hint:
> strp_work+0x0/0xf0 net/strparser/strparser.c:381
> WARNING: CPU: 1 PID: 3502 at lib/debugobjects.c:291
> debug_print_object+0x166/0x220 lib/debugobjects.c:288
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 3502 Comm: kworker/u4:4 Not tainted 4.15.0-rc5+ #170
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: kkcmd kcm_tx_work
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> panic+0x1e4/0x41c kernel/panic.c:183
> __warn+0x1dc/0x200 kernel/panic.c:547
> report_bug+0x211/0x2d0 lib/bug.c:184
> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> fixup_bug arch/x86/kernel/traps.c:247 [inline]
> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1061
> RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
> RSP: 0018:8801c0ee7068 EFLAGS: 00010086
> RAX: dc08 RBX: 0003 RCX: 8159bc3e
> RDX: RSI: 1100381dcdc8 RDI: 8801db317dd0
> RBP: 8801c0ee70a8 R08: R09: 1100381dcd9a
> R10: ed00381dce3c R11: 86137ad8 R12: 0001
> R13: 86113480 R14: 8560dc40 R15: 8146e5f0
> __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
> debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
> kmem_cache_free+0x253/0x2a0 mm/slab.c:3745
I believe we just need to defer kmem_cache_free to call_rcu.
Tom
> unreserve_psock+0x5a1/0x780 net/kcm/kcmsock.c:547
> kcm_write_msgs+0xbae/0x1b80 net/kcm/kcmsock.c:590
> kcm_tx_work+0x2e/0x190 net/kcm/kcmsock.c:731
> process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
> worker_thread+0x223/0x1990 kernel/workqueue.c:2246
> kthread+0x33c/0x400 kernel/kthread.c:238
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515
>
> ==
> WARNING: possible circular locking dependency detected
> 4.15.0-rc5+ #170 Not tainted
> --
> kworker/u4:4/3502 is trying to acquire lock:
> ((console_sem).lock){-.-.}, at: [<91214b42>] down_trylock+0x13/0x70
> kernel/locking/semaphore.c:136
>
> but task is already holding lock:
> (&obj_hash[i].lock){-.-.}, at: []
> __debug_check_no_obj_freed lib/debugobjects.c:736 [inline]
> (&obj_hash[i].lock){-.-.}, at: []
> debug_check_no_obj_freed+0x1e9/0xf1f lib/debugobjects.c:774
>
> which lock already depends on the new lock.
>
>
> the existing dependency chain (in reverse order) is:
>
> -> #3 (&obj_hash[i].lock){-.-.}:
>__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
>_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
>__debug_object_init+0x109/0x1040 lib/debugobjects.c:343
>debug_object_init+0x17/0x20 lib/debugobjects.c:391
>debug_hrtimer_init kernel/time/hrtimer.c:396 [inline]
>debug_init kernel/time/hrtimer.c:441 [inline]
>hrtimer_init+0x8c/0x410 kernel/time/hrtimer.c:1122
>init_dl_task_timer+0x1b/0x50 kernel/sched/deadline.c:1023
>__sched_fork+0x2c4/0xb70 kernel/sched/core.c:2188
>init_idle+0x75/0x820 kernel/sched/core.c:5279
>sched_init+0xb19/0xc43 kernel/sched/core.c:5976
>start_kernel+0x452/0x819 init/main.c:582
>x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378
>x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359
>secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237
>
> -> #2 (&rq->lock){-.-.}:
>__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
>_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
>rq_lock kernel/sched/sched.h:1766 [inline]
>task_fork_fair+0x7a/0x690 kernel/sched/fair.c:9449
>sched_fork+0x435/0xc00 kernel/sched/core.c:2404
>copy_process.part
