Re: unregister_netdevice: waiting for DEV to become free
From: Tetsuo Handa
Date: Fri Jul 27 2018 - 09:01:30 EST
Hello.
Since this bug is top crasher (124264 times in 98 days is almost "every minute").
I made a simplified C reproducer based on the C reproducer provided by syzbot.
It seems that setsockopt(SOL_IPV6, IPV6_XFRM_POLICY) is involved to this trouble.
----------------------------------------
#define _GNU_SOURCE
#include <sched.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/*
ip6tnl0: flags=128<NOARP> mtu 1452
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
*/
#define IP_DEVNAME "ip6tnl0"
int main(int argc, char *argv[])
{
struct sockaddr_in6 addr = { };
int fd;
if (unshare(CLONE_NEWNET))
return 1;
fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
if (system("ip link set dev " IP_DEVNAME " up"))
return 2;
setsockopt(fd, SOL_IPV6, IPV6_XFRM_POLICY, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\254\24\24\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0+\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\7\0\0\0\r5M&", 0xe8);
addr.sin6_family = AF_INET6;
inet_pton(AF_INET6, "fe80::bb", &addr.sin6_addr);
addr.sin6_scope_id = 9;
connect(fd, (struct sockaddr *) &addr, sizeof(addr));
return 0;
}
----------------------------------------