Re: [syzbot] [net?] WARNING in cleanup_net (3)

From: syzbot
Date: Sat Apr 06 2024 - 23:20:11 EST

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

are+0x38/0x40
[ 77.597915][ T5085] do_syscall_64+0xfd/0x240
[ 77.597915][ T5085] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 77.597915][ T5085]
[ 77.673058][ T5085] ref_tracker: net notrefcnt@ffff8880226f01d8 skipped reports about 9/30 users.
[ 77.701239][ T61] ==================================================================
[ 77.709356][ T61] BUG: KASAN: slab-use-after-free in net_generic+0x137/0x240
[ 77.716805][ T61] Read of size 8 at addr ffff88802a43e828 by task kworker/u8:4/61
[ 77.724631][ T61]
[ 77.726967][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 77.737146][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 77.747221][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 77.753246][ T61] Call Trace:
[ 77.756539][ T61] <TASK>
[ 77.759487][ T61] dump_stack_lvl+0x241/0x360
[ 77.764202][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 77.769440][ T61] ? __pfx__printk+0x10/0x10
[ 77.774072][ T61] ? _printk+0xd5/0x120
[ 77.778297][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.783446][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.788325][ T61] print_report+0x169/0x550
[ 77.792863][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.798012][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.802893][ T61] ? __virt_addr_valid+0x44e/0x520
[ 77.808045][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.812923][ T61] ? __phys_addr+0xba/0x170
[ 77.817639][ T61] ? net_generic+0x137/0x240
[ 77.822251][ T61] kasan_report+0x143/0x180
[ 77.826801][ T61] ? net_generic+0x137/0x240
[ 77.831422][ T61] ? net_generic+0x1f/0x240
[ 77.835957][ T61] net_generic+0x137/0x240
[ 77.840395][ T61] call_fib_notifiers+0x23/0x60
[ 77.845304][ T61] fib6_add+0x1bd5/0x4430
[ 77.849707][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 77.856103][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 77.861152][ T61] ? __pfx_fib6_add+0x10/0x10
[ 77.865864][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.870742][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 77.875798][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 77.881630][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.887037][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.891919][ T61] ? ip6_ins_rt+0xf0/0x170
[ 77.896369][ T61] ip6_ins_rt+0x106/0x170
[ 77.900730][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 77.905616][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.910489][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 77.915196][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 77.920243][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 77.925724][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.930599][ T61] ? mark_lock+0x9a/0x350
[ 77.934959][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.939842][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 77.945852][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.952210][ T61] ? __cancel_work+0x26a/0x390
[ 77.957001][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.961878][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 77.967113][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.971989][ T61] ? __cancel_work+0x2ef/0x390
[ 77.976790][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.983154][ T61] addrconf_dad_completed+0x181/0xcd0
[ 77.988570][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 77.994527][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 77.999783][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.004876][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.009767][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.015276][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.021642][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.027395][ T61] process_scheduled_works+0xa02/0x1770
[ 78.032992][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.039006][ T61] ? assign_work+0x364/0x3d0
[ 78.043622][ T61] worker_thread+0x86d/0xd70
[ 78.048241][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.054174][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.059229][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.064420][ T61] kthread+0x2f2/0x390
[ 78.068528][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.073668][ T61] ? __pfx_kthread+0x10/0x10
[ 78.078288][ T61] ret_from_fork+0x4d/0x80
[ 78.082745][ T61] ? __pfx_kthread+0x10/0x10
[ 78.087372][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.092213][ T61] </TASK>
[ 78.095242][ T61]
[ 78.097572][ T61] Allocated by task 5073:
[ 78.101905][ T61] kasan_save_track+0x3f/0x80
[ 78.106607][ T61] __kasan_kmalloc+0x98/0xb0
[ 78.111229][ T61] __kmalloc+0x233/0x4a0
[ 78.115490][ T61] copy_net_ns+0x10e/0x7b0
[ 78.119929][ T61] create_new_namespaces+0x425/0x7b0
[ 78.125249][ T61] unshare_nsproxy_namespaces+0x124/0x180
[ 78.130996][ T61] ksys_unshare+0x619/0xc10
[ 78.135525][ T61] __x64_sys_unshare+0x38/0x40
[ 78.140320][ T61] do_syscall_64+0xfd/0x240
[ 78.144846][ T61] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 78.150767][ T61]
[ 78.153098][ T61] Freed by task 5085:
[ 78.157087][ T61] kasan_save_track+0x3f/0x80
[ 78.161793][ T61] kasan_save_free_info+0x40/0x50
[ 78.166858][ T61] poison_slab_object+0xa6/0xe0
[ 78.171748][ T61] __kasan_slab_free+0x37/0x60
[ 78.176539][ T61] kfree+0x14a/0x380
[ 78.180452][ T61] net_drop_ns+0x6e/0xc0
[ 78.184724][ T61] iterate_cleanup_work+0x1d2/0x260
[ 78.189945][ T61] process_scheduled_works+0xa02/0x1770
[ 78.195511][ T61] worker_thread+0x86d/0xd70
[ 78.200123][ T61] kthread+0x2f2/0x390
[ 78.204225][ T61] ret_from_fork+0x4d/0x80
[ 78.208678][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.213470][ T61]
[ 78.215805][ T61] The buggy address belongs to the object at ffff88802a43e800
[ 78.215805][ T61] which belongs to the cache kmalloc-1k of size 1024
[ 78.229884][ T61] The buggy address is located 40 bytes inside of
[ 78.229884][ T61] freed 1024-byte region [ffff88802a43e800, ffff88802a43ec00)
[ 78.243716][ T61]
[ 78.246057][ T61] The buggy address belongs to the physical page:
executing program
[ 78.252475][ T61] page:ffffea0000a90e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a438
[ 78.262645][ T61] head:ffffea0000a90e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.271623][ T61] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 78.280054][ T61] page_type: 0xffffffff()
[ 78.284404][ T61] raw: 00fff00000000840 ffff888014c41dc0 0000000000000000 dead000000000001
[ 78.293008][ T61] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 78.301607][ T61] page dumped because: kasan: bad access detected
[ 78.308035][ T61] page_owner tracks the page as allocated
[ 78.313762][ T61] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17639541498, free_ts 0
[ 78.333517][ T61] post_alloc_hook+0x1ea/0x210
[ 78.338325][ T61] get_page_from_freelist+0x33ea/0x3580
[ 78.343899][ T61] __alloc_pages+0x256/0x680
[ 78.348509][ T61] alloc_slab_page+0x5f/0x160
[ 78.353214][ T61] new_slab+0x84/0x2f0
[ 78.357310][ T61] ___slab_alloc+0xc73/0x1260
[ 78.362015][ T61] __kmalloc+0x2e5/0x4a0
[ 78.366275][ T61] ops_init+0x203/0x610
[ 78.370463][ T61] register_pernet_operations+0x2cb/0x660
[ 78.376214][ T61] register_pernet_subsys+0x28/0x40
[ 78.381450][ T61] ip6table_nat_init+0x39/0x80
[ 78.386249][ T61] do_one_initcall+0x23a/0x830
[ 78.391039][ T61] do_initcall_level+0x157/0x210
[ 78.395998][ T61] do_initcalls+0x3f/0x80
[ 78.400347][ T61] kernel_init_freeable+0x435/0x5d0
[ 78.405573][ T61] kernel_init+0x1d/0x2a0
[ 78.409923][ T61] page_owner free stack trace missing
[ 78.415297][ T61]
[ 78.417632][ T61] Memory state around the buggy address:
[ 78.423274][ T61] ffff88802a43e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.431349][ T61] ffff88802a43e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.439423][ T61] >ffff88802a43e800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.447489][ T61] ^
[ 78.452872][ T61] ffff88802a43e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.460943][ T61] ffff88802a43e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.469270][ T61] ==================================================================
[ 78.477394][ T61] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 78.485047][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 78.495225][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 78.505310][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 78.511434][ T61] Call Trace:
[ 78.514731][ T61] <TASK>
[ 78.517685][ T61] dump_stack_lvl+0x241/0x360
[ 78.522408][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 78.527653][ T61] ? __pfx__printk+0x10/0x10
[ 78.532296][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.537188][ T61] ? vscnprintf+0x5d/0x90
[ 78.541544][ T61] panic+0x349/0x860
[ 78.545472][ T61] ? check_panic_on_warn+0x21/0xb0
[ 78.550616][ T61] ? __pfx_panic+0x10/0x10
[ 78.555063][ T61] ? mark_lock+0x9a/0x350
[ 78.559419][ T61] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 78.565358][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.570235][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.576165][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.582538][ T61] ? print_report+0x502/0x550
[ 78.587259][ T61] check_panic_on_warn+0x86/0xb0
[ 78.592247][ T61] ? net_generic+0x137/0x240
[ 78.596863][ T61] end_report+0x6e/0x140
[ 78.601143][ T61] kasan_report+0x154/0x180
[ 78.605683][ T61] ? net_generic+0x137/0x240
[ 78.610299][ T61] ? net_generic+0x1f/0x240
[ 78.614828][ T61] net_generic+0x137/0x240
[ 78.619269][ T61] call_fib_notifiers+0x23/0x60
[ 78.624143][ T61] fib6_add+0x1bd5/0x4430
[ 78.628522][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.634889][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 78.639942][ T61] ? __pfx_fib6_add+0x10/0x10
[ 78.644649][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.649561][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 78.654627][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 78.660470][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 78.665884][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.670772][ T61] ? ip6_ins_rt+0xf0/0x170
[ 78.675223][ T61] ip6_ins_rt+0x106/0x170
[ 78.679588][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 78.684474][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.689354][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 78.694064][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 78.699112][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 78.704684][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.709561][ T61] ? mark_lock+0x9a/0x350
[ 78.713916][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.718789][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 78.724967][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.731325][ T61] ? __cancel_work+0x26a/0x390
[ 78.736127][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.741007][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 78.746238][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.751121][ T61] ? __cancel_work+0x2ef/0x390
[ 78.755923][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.762290][ T61] addrconf_dad_completed+0x181/0xcd0
[ 78.767717][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 78.773655][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 78.778900][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.783967][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.788852][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.794358][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.800727][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.806474][ T61] process_scheduled_works+0xa02/0x1770
[ 78.812067][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.818082][ T61] ? assign_work+0x364/0x3d0
[ 78.822754][ T61] worker_thread+0x86d/0xd70
[ 78.827425][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.833368][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.838514][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.843673][ T61] kthread+0x2f2/0x390
[ 78.847789][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.852931][ T61] ? __pfx_kthread+0x10/0x10
[ 78.857554][ T61] ret_from_fork+0x4d/0x80
[ 78.862007][ T61] ? __pfx_kthread+0x10/0x10
[ 78.866628][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.871440][ T61] </TASK>
[ 78.874677][ T61] Kernel Offset: disabled
[ 78.878995][ T61] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1837125112=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 0ee3535ea
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0ee3535ea8ff21d50e44372bb1cfd147e299ab5b\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16af0699180000


Tested on:

commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=148bd8f3180000