Re: unregister_netdevice: waiting for DEV to become free
From: Tetsuo Handa
Date: Tue Jul 31 2018 - 07:16:58 EST
Steffen and Herbert,
Do you have any question? I think I provided enough information for debugging.
This problem occurs because two dev_put() calls are missing (compared with not
calling setsockopt(SOL_IPV6, IPV6_XFRM_POLICY)) because dst_release() is not
called via fib6_info_destroy_rcu() when we called xfrm_compile_policy() from
xfrm_user_policy() from setsockopt(SOL_IPV6, IPV6_XFRM_POLICY).
[ 39.981210] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 4.18.0-rc6+ #457
[ 39.982879] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 39.985689] Call Trace:
[ 39.986269] <IRQ>
[ 39.986792] dump_stack+0x99/0xdc
[ 39.987601] dst_destroy_hook+0x29/0x2b
[ 39.988517] dst_release+0x28/0x70
[ 39.989481] fib6_info_destroy_rcu+0x8e/0x100
[ 39.990409] ? fib6_walk_continue+0x1c0/0x1c0
[ 39.991355] rcu_process_callbacks+0x2cb/0x870
[ 39.992376] ? rcu_process_callbacks+0x266/0x870
[ 39.993352] __do_softirq+0xcf/0x49b
[ 39.994119] irq_exit+0xc2/0xd0
[ 39.994819] smp_apic_timer_interrupt+0xa4/0x2d0
[ 39.995918] apic_timer_interrupt+0xf/0x20
[ 39.996883] </IRQ>
On 2018/07/27 22:00, Tetsuo Handa wrote:
> Hello.
>
> Since this bug is top crasher (124264 times in 98 days is almost "every minute").
> I made a simplified C reproducer based on the C reproducer provided by syzbot.
> It seems that setsockopt(SOL_IPV6, IPV6_XFRM_POLICY) is involved to this trouble.
>
> ----------------------------------------
> #define _GNU_SOURCE
> #include <sched.h>
> #include <stdlib.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
>
> /*
> ip6tnl0: flags=128<NOARP> mtu 1452
> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> */
> #define IP_DEVNAME "ip6tnl0"
>
> int main(int argc, char *argv[])
> {
> struct sockaddr_in6 addr = { };
> int fd;
> if (unshare(CLONE_NEWNET))
> return 1;
> fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
> if (system("ip link set dev " IP_DEVNAME " up"))
> return 2;
> setsockopt(fd, SOL_IPV6, IPV6_XFRM_POLICY, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\254\24\24\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0+\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\7\0\0\0\r5M&", 0xe8);
> addr.sin6_family = AF_INET6;
> inet_pton(AF_INET6, "fe80::bb", &addr.sin6_addr);
> addr.sin6_scope_id = 9;
> connect(fd, (struct sockaddr *) &addr, sizeof(addr));
> return 0;
> }
> ----------------------------------------
>