On Fri, Feb 9, 2018 at 8:27 PM, syzbot
wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +)
> Merge tag 'usercopy-v4.16-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
>
> So far this crash happened 4 times on net-next.
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
For the record, from Eric in
https://groups.google.com/d/msg/syzkaller-bugs/s0qdtBtcJb8/6CrnEixcAgAJ
> This is still happening; looks like a missing lock in
> tipc_nl_compat_link_set().
> Note that the reproducer isn't guaranteed to work as-is because the message it
> sends to the netlink socket assumes that the "TIPC" generic netlink family was
> assigned ID 31, when actually it is a dynamically assigned ID. But it will
> trigger if you adjust the message's ->nlmsg_type accordingly.
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b743957adcee51f5e...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> netlink: 'syz-executor6': attribute type 1 has an invalid length.
> sctp: [Deprecated]: syz-executor3 (pid 6217) Use of int in max_burst socket
> option.
> Use struct sctp_assoc_value instead
>
> =
> WARNING: suspicious RCU usage
> 4.15.0+ #221 Not tainted
> sctp: [Deprecated]: syz-executor3 (pid 6225) Use of int in max_burst socket
> option.
> Use struct sctp_assoc_value instead
> -
> net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage!
>
> other info that might help us debug this:
>
>
> rcu_scheduler_active = 2, debug_locks = 1
> 2 locks held by syz-executor6/6218:
> #0: (
> syz-executor5 (6213) used greatest stack depth: 14576 bytes left
> cb_lock){}, at: [<4bdfcf78>] genl_rcv+0x19/0x40
> net/netlink/genetlink.c:634
> #1: (genl_mutex){+.+.}, at: [<482c2989>] genl_lock
> net/netlink/genetlink.c:33 [inline]
> #1: (genl_mutex){+.+.}, at: [<482c2989>] genl_rcv_msg+0x115/0x140
> net/netlink/genetlink.c:622
>
> stack backtrace:
> CPU: 1 PID: 6218 Comm: syz-executor6 Not tainted 4.15.0+ #221
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
> tipc_bearer_find+0x2b4/0x3b0 net/tipc/bearer.c:177
> tipc_nl_compat_link_set+0x329/0x9f0 net/tipc/netlink_compat.c:729
> sock: sock_set_timeout: `syz-executor4' (pid 6237) tries to set negative
> timeout
> __tipc_nl_compat_doit net/tipc/netlink_compat.c:288 [inline]
> tipc_nl_compat_doit+0x15b/0x670 net/tipc/netlink_compat.c:335
> tipc_nl_compat_handle net/tipc/netlink_compat.c:1119 [inline]
> tipc_nl_compat_recv+0x1135/0x18f0 net/tipc/netlink_compat.c:1201
> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
> netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442
> genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
> netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
> netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
> netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
> sock_sendmsg_nosec net/socket.c:630 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:640
> ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
> __sys_sendmsg+0xe5/0x210 net/socket.c:2080
> SYSC_sendmsg net/socket.c:2091 [inline]
> SyS_sendmsg+0x2d/0x50 net/socket.c:2087
> entry_SYSCALL_64_fastpath+0x29/0xa0
> RIP: 0033:0x4537d9
> RSP: 002b:7fa225171c58 EFLAGS: 0212 ORIG_RAX: 002e
> RAX: ffda RBX: 7fa225172700 RCX: 004537d9
> RDX: RSI: 20003000 RDI: 0013
> RBP: R08: R09:
> R10: R11: 0212 R12:
> R13: 00a2f09f R14: 7fa2251729c0 R15:
> sctp: [Deprecated]: syz-executor1 (pid 6246) Use of struct sctp_assoc_value
> in delayed_ack socket option.
> Use struct sctp_sack_info instead
> netlink: 'syz-executor2': attribute type 11 has an invalid length.
> netlink: 'syz-executor2': attribute type 11 has an invalid length.
> netlink: 8 bytes leftover after parsing attributes in process
> `syz-executor0'.
> netlink: 8 bytes leftover after parsing attributes in process
> `syz-executor0'.
> netlink: 8 bytes leftover after parsing attributes in process
> `syz-executor5'.
> netlink: 8 bytes leftover after parsing attributes in process
> `syz-executor5'.
> netlink: 8 bytes leftover after parsing attributes in process
> `syz-executor5'.
> netli