【标题描述】能够简要描述问题:说明什么场景下,做了什么操作,出现什么问题(尽量使用正向表达方式)
syzkaller 模糊测试发现的问题,宕机栈如下
BUG: spinlock already unlocked on CPU#0, ksoftirqd/0/12
lock: 0xffff8881138c6a70, .magic: dead4ead, .owner: /-1, .owner_cpu: -1
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1qmp_cmd_name: qmp_capabilities, arguments: {}
qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 1}
dump_stack+0x9c/qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 2}
do_raw_spin_unlock+0x16qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 3}
__raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock+0x1f/0x30 kernel/locking/spinlock.c:183
spin_unlock include/linux/spinlock.h:394 [inline]
inet_csk_reqsk_queue_add+0x1b0/0x250 net/ipv4/inet_connection_sock.c:1005
tcp_get_cookie_sock+0x1ff/0x4f0 net/ipv4/syncookies.c:221
cookie_v4_check+0x161b/0x2240 net/ipv4/syncookies.c:453
tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1640 [inline]
tcp_v4_do_rcv+0x59f/0x7c0 net/ipv4/tcp_ipv4.c:1695
tcp_v4_rcv+0x3eaa/0x44e0 net/ipv4/tcp_ipv4.c:2060
ip_protocol_deliver_rcu+0x25a/0x840 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x1d9/0x260 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_local_deliver+0x17c/0x360 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:459 [inline]
ip_rcv_finish+0x198/0x2b0 net/ipv4/ip_input.c:435
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_rcv+0xcd/0x240 net/ipv4/ip_input.c:546
__netif_receive_skb_one_core+0x1a0/0x1f0 net/core/dev.c:5366
__netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5480
process_backlog+0x1ec/0x540 net/core/dev.c:6386
napi_poll+0x23b/0x7c0 net/core/dev.c:6837
net_rx_action+0x1fe/0x700 net/core/dev.c:6907
__do_softirq+0x1c3/0x5d9 kernel/softirq.c:298
run_ksoftirqd kernel/softirq.c:654 [inline]
run_ksoftirqd+0x1e/0x30 kernel/softirq.c:646
smpboot_thread_fn+0x334/0x700 kernel/smpboot.c:164
kthread+0x2fe/0x410 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
------------[ cut here ]------------
pvqspinlock: lock 0xffff8881138c6a70 has corrupted value 0x0!
WARNING: CPU: 0 PID: 12 at kernel/locking/qspinlock_paravirt.h:498 __pv_queued_spin_unlock_slowpath+0x1eb/0x260 kernel/locking/qspinlock_paravirt.h:498
Modules linked in:
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:__pv_queued_spin_unlock_slowpath+0x1eb/0x260 kernel/locking/qspinlock_paravirt.h:498
Code: ea 03 0f b6 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 70 41 8b 14 24 4c 89 e6 48 c7 c7 c0 cf e9 92 e8 3d be fd 01 <0f> 0b e9 68 ff ff ff 48 89 df 48 89 14 24 e8 72 3b 62 00 48 8b 14
RSP: 0018:ffff888100367470 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 000000001442f64f RCX: 0000000000000000
RDX: ffff888100350000 RSI: 0000000000000008 RDI: ffffed102006ce80
RBP: ffff8881138c6a70 R08: 0000000000000001 R09: ffff88811a401de7
R10: ffffed10234803bc R11: 0000000000000001 R12: ffff8881138c6a70
R13: ffff8881138c6a80 R14: ffff8881138c6a70 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88811a200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000040416003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
__raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x24
.slowpath+0x9/0x16
pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:559 [inline]
queued_spin_unlock arch/x86/include/asm/qspinlock.h:60 [inline]
do_raw_spin_unlock+0x149/0x1f0 kernel/locking/spinlock_debug.c:139
__raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock+0x1f/0x30 kernel/locking/spinlock.c:183
spin_unlock include/linux/spinlock.h:394 [inline]
inet_csk_reqsk_queue_add+0x1b0/0x250 net/ipv4/inet_connection_sock.c:1005
tcp_get_cookie_sock+0x1ff/0x4f0 net/ipv4/syncookies.c:221
cookie_v4_check+0x161b/0x2240 net/ipv4/syncookies.c:453
tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1640 [inline]
tcp_v4_do_rcv+0x59f/0x7c0 net/ipv4/tcp_ipv4.c:1695
tcp_v4_rcv+0x3eaa/0x44e0 net/ipv4/tcp_ipv4.c:2060
ip_protocol_deliver_rcu+0x25a/0x840 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x1d9/0x260 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_local_deliver+0x17c/0x360 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:459 [inline]
ip_rcv_finish+0x198/0x2b0 net/ipv4/ip_input.c:435
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_rcv+0xcd/0x240 net/ipv4/ip_input.c:546
__netif_receive_skb_one_core+0x1a0/0x1f0 net/core/dev.c:5366
__netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5480
process_backlog+0x1ec/0x540 net/core/dev.c:6386
napi_poll+0x23b/0x7c0 net/core/dev.c:6837
net_rx_action+0x1fe/0x700 net/core/dev.c:6907
__do_softirq+0x1c3/0x5d9 kernel/softirq.c:298
run_ksoftirqd kernel/softirq.c:654 [inline]
run_ksoftirqd+0x1e/0x30 kernel/softirq.c:646
smpboot_thread_fn+0x334/0x700 kernel/smpboot.c:164
kthread+0x2fe/0x410 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
---[ end trace 49faeb4e945e7234 ]---
net_ratelimit: 7373 callbacks suppressed
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies. Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies. Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies. Check SNMP counters.
net_ratelimit: 8284 callbacks suppressed
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies. Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies. Check SNMP counters.
Syzkaller reproducer:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @empty}, 0x1c)
listen(r0, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000040)={0xa, 0x4e23, 0x0, @ipv4={'\x00', '\xff\xff', @empty}}, 0x1c)
shutdown(r0, 0x0)
listen(r0, 0x7fffffff)
【环境信息】
硬件信息
软件信息
OS版本及分支信息
openEuler-22.03-LTS-SP1
内核信息
openEuler-22.03-LTS-SP1
发现问题的组件版本信息
如果有特殊组网,请提供网络拓扑信息
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
syzkaller有重现程序,但是issue贴不下,字数超了。
可以添加到附件里
没有附件权限。我贴在这了。
https://gitee.com/sming56/syzbugs/blob/master/bug-1
增加的内核编译参数
CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
CONFIG_REFCOUNT_FULL=y
CONFIG_BLK_DEV_SD=y
CONFIG_ATA=y
CONFIG_ATA_PIIX=y
CONFIG_EXT4_FS=y
CONFIG_E1000=y
CONFIG_BINFMT_MISC=y
我用这个 image + qemu就能浮现。
https://repo.openeuler.org/openEuler-22.03-LTS/virtual_machine_img/x86_64/
已经按照你的指导进行复现,暂时无法复现。从你提供的日志中看,接收了大量的syn包,这可能会影响到问题复现。请问下你是在跑什么业务,我用什么方法可以模拟你的业务?
可以复现,大概3个多小时~
这个连接有问题,访问不了
该问题已经提交修复patch到linux主线,https://patchwork.kernel.org/project/netdevbpf/patch/20240112013644.3079454-1-shaozhengchao@huawei.com/,待主线review
登录 后才可以发表评论