1. Patchew
  2. linux
  3. View series

[syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu

Kuniyuki Iwashima posted 1 patch 3 months ago
[syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu
Posted by Kuniyuki Iwashima 3 months ago 
From: syzbot <syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com>
Date: Tue, 08 Jul 2025 15:27:28 -0700
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7482bb149b9f Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=130c528c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3c06e3e2454512b3
> dashboard link: https://syzkaller.appspot.com/bug?extid=40bf00346c3fe40f90f2
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1257428c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15fe9582580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f623d741d651/disk-7482bb14.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/483e23ae71b1/vmlinux-7482bb14.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/79b5baaa1b50/Image-7482bb14.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> ODEBUG: activate active (active state 1) object: 000000006921da73 object type: rcu_head hint: 0x0
> WARNING: CPU: 0 PID: 6718 at lib/debugobjects.c:615 debug_print_object lib/debugobjects.c:612 [inline]
> WARNING: CPU: 0 PID: 6718 at lib/debugobjects.c:615 debug_object_activate+0x344/0x460 lib/debugobjects.c:842
> Modules linked in:
> CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : debug_print_object lib/debugobjects.c:612 [inline]
> pc : debug_object_activate+0x344/0x460 lib/debugobjects.c:842
> lr : debug_print_object lib/debugobjects.c:612 [inline]
> lr : debug_object_activate+0x344/0x460 lib/debugobjects.c:842
> sp : ffff8000a03a76d0
> x29: ffff8000a03a76d0 x28: ffff8000976d7000 x27: dfff800000000000
> x26: ffff80008afc2480 x25: 0000000000000001 x24: ffff8000891ac9a0
> x23: 0000000000000003 x22: ffff80008b539420 x21: 0000000000000000
> x20: ffff80008afc2480 x19: ffff8000891ac9a0 x18: 00000000ffffffff
> x17: 3761643132393630 x16: ffff80008ae642c8 x15: ffff700011ede14c
> x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff
> x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000
> x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff8000a03a7018 x4 : ffff80008f766c20 x3 : ffff80008054d360
> x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000
> Call trace:
>  debug_print_object lib/debugobjects.c:612 [inline] (P)
>  debug_object_activate+0x344/0x460 lib/debugobjects.c:842 (P)
>  debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline]
>  kvfree_call_rcu+0x4c/0x3f0 mm/slab_common.c:1953
>  cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914
>  netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000
>  smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581
>  smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912
>  security_inode_setsecurity+0x118/0x3c0 security/security.c:2706
>  __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251
>  __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295
>  vfs_setxattr+0x158/0x2ac fs/xattr.c:321
>  do_setxattr fs/xattr.c:636 [inline]
>  file_setxattr+0x1b8/0x294 fs/xattr.c:646
>  path_setxattrat+0x2ac/0x320 fs/xattr.c:711
>  __do_sys_fsetxattr fs/xattr.c:761 [inline]
>  __se_sys_fsetxattr fs/xattr.c:758 [inline]
>  __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
>  el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 739
> hardirqs last  enabled at (738): [<ffff80008055484c>] __up_console_sem kernel/printk/printk.c:344 [inline]
> hardirqs last  enabled at (738): [<ffff80008055484c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
> hardirqs last disabled at (739): [<ffff80008aef73d4>] el1_brk64+0x1c/0x48 arch/arm64/kernel/entry-common.c:574
> softirqs last  enabled at (668): [<ffff8000891992e0>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
> softirqs last  enabled at (668): [<ffff8000891992e0>] release_sock+0x14c/0x1ac net/core/sock.c:3776
> softirqs last disabled at (712): [<ffff800082c8970c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
> ---[ end trace 0000000000000000 ]---
> ------------[ cut here ]------------
> ODEBUG: active_state active (active state 1) object: 000000006921da73 object type: rcu_head hint: 0x0
> WARNING: CPU: 0 PID: 6718 at lib/debugobjects.c:615 debug_print_object lib/debugobjects.c:612 [inline]
> WARNING: CPU: 0 PID: 6718 at lib/debugobjects.c:615 debug_object_active_state+0x28c/0x350 lib/debugobjects.c:1064
> Modules linked in:
> CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G        W           6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT 
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : debug_print_object lib/debugobjects.c:612 [inline]
> pc : debug_object_active_state+0x28c/0x350 lib/debugobjects.c:1064
> lr : debug_print_object lib/debugobjects.c:612 [inline]
> lr : debug_object_active_state+0x28c/0x350 lib/debugobjects.c:1064
> sp : ffff8000a03a76c0
> x29: ffff8000a03a76d0 x28: ffff80008f671000 x27: dfff800000000000
> x26: 0000000000000003 x25: 0000000000000000 x24: ffff0000cb6fd7a8
> x23: 0000000000000001 x22: ffff80008afc2480 x21: ffff80008b539420
> x20: 0000000000000000 x19: ffff8000891ac9a0 x18: 00000000ffffffff
> x17: 3239363030303030 x16: ffff80008ae642c8 x15: ffff700011ede14c
> x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff
> x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000
> x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff8000a03a7018 x4 : ffff80008f766c20 x3 : ffff80008054d360
> x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000
> Call trace:
>  debug_print_object lib/debugobjects.c:612 [inline] (P)
>  debug_object_active_state+0x28c/0x350 lib/debugobjects.c:1064 (P)
>  debug_rcu_head_queue kernel/rcu/rcu.h:237 [inline]
>  kvfree_call_rcu+0x64/0x3f0 mm/slab_common.c:1953
>  cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914
>  netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000
>  smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581
>  smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912
>  security_inode_setsecurity+0x118/0x3c0 security/security.c:2706
>  __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251
>  __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295
>  vfs_setxattr+0x158/0x2ac fs/xattr.c:321
>  do_setxattr fs/xattr.c:636 [inline]
>  file_setxattr+0x1b8/0x294 fs/xattr.c:646
>  path_setxattrat+0x2ac/0x320 fs/xattr.c:711
>  __do_sys_fsetxattr fs/xattr.c:761 [inline]
>  __se_sys_fsetxattr fs/xattr.c:758 [inline]
>  __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
>  el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 765
> hardirqs last  enabled at (764): [<ffff80008055484c>] __up_console_sem kernel/printk/printk.c:344 [inline]
> hardirqs last  enabled at (764): [<ffff80008055484c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
> hardirqs last disabled at (765): [<ffff80008aef73d4>] el1_brk64+0x1c/0x48 arch/arm64/kernel/entry-common.c:574
> softirqs last  enabled at (668): [<ffff8000891992e0>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
> softirqs last  enabled at (668): [<ffff8000891992e0>] release_sock+0x14c/0x1ac net/core/sock.c:3776
> softirqs last disabled at (712): [<ffff800082c8970c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
> ---[ end trace 0000000000000000 ]---
> ------------[ cut here ]------------
> kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73
> WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
> Modules linked in:
> CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G        W           6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT 
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
> lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
> sp : ffff8000a03a7730
> x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3
> x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00
> x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0
> x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff
> x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c
> x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff
> x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000
> x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360
> x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000
> Call trace:
>  kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)
>  cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914
>  netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000
>  smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581
>  smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912
>  security_inode_setsecurity+0x118/0x3c0 security/security.c:2706
>  __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251
>  __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295
>  vfs_setxattr+0x158/0x2ac fs/xattr.c:321
>  do_setxattr fs/xattr.c:636 [inline]
>  file_setxattr+0x1b8/0x294 fs/xattr.c:646
>  path_setxattrat+0x2ac/0x320 fs/xattr.c:711
>  __do_sys_fsetxattr fs/xattr.c:761 [inline]
>  __se_sys_fsetxattr fs/xattr.c:758 [inline]
>  __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
>  el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 789
> hardirqs last  enabled at (788): [<ffff80008055484c>] __up_console_sem kernel/printk/printk.c:344 [inline]
> hardirqs last  enabled at (788): [<ffff80008055484c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
> hardirqs last disabled at (789): [<ffff80008aef73d4>] el1_brk64+0x1c/0x48 arch/arm64/kernel/entry-common.c:574
> softirqs last  enabled at (668): [<ffff8000891992e0>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
> softirqs last  enabled at (668): [<ffff8000891992e0>] release_sock+0x14c/0x1ac net/core/sock.c:3776
> softirqs last disabled at (712): [<ffff800082c8970c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
> ---[ end trace 0000000000000000 ]---
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash

#syz test

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 3760131f14845..1fa519c597196 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -360,6 +360,16 @@ static void smc_destruct(struct sock *sk)
 		return;
 	if (!sock_flag(sk, SOCK_DEAD))
 		return;
+	switch (sk->sk_family) {
+	case AF_INET:
+		inet_sock_destruct(sk);
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case AF_INET6:
+		inet6_sock_destruct(sk);
+		break;
+#endif
+	}
 }
 
 static struct lock_class_key smc_key;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 78ae10d06ed2e..cc59d0f03e261 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -283,7 +283,10 @@ struct smc_connection {
 };
 
 struct smc_sock {				/* smc sock container */
-	struct sock		sk;
+	union {
+		struct sock		sk;
+		struct inet_sock	icsk_inet;
+	};
 #if IS_ENABLED(CONFIG_IPV6)
 	struct ipv6_pinfo	*pinet6;
 #endif
Re: [syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu
Posted by syzbot 3 months ago 
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/smc/af_smc.c:365:3: error: call to undeclared function 'inet_sock_destruct'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]


Tested on:

commit:         ec480130 Merge branches 'for-next/core' and 'for-next/..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
kernel config:  https://syzkaller.appspot.com/x/.config?x=3c06e3e2454512b3
dashboard link: https://syzkaller.appspot.com/bug?extid=40bf00346c3fe40f90f2
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=130a6bd4580000
Re: [syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu
Posted by Kuniyuki Iwashima 3 months ago 
From: syzbot <syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com>
Date: Tue, 08 Jul 2025 15:54:02 -0700
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:
> 
> net/smc/af_smc.c:365:3: error: call to undeclared function 'inet_sock_destruct'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
>

#syz test

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 3760131f14845..1882bab8e00e7 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -30,6 +30,10 @@
 #include <linux/splice.h>
 
 #include <net/sock.h>
+#include <net/inet_common.h>
+#if IS_ENABLED(CONFIG_IPV6)
+#include <net/ipv6.h>
+#endif
 #include <net/tcp.h>
 #include <net/smc.h>
 #include <asm/ioctls.h>
@@ -360,6 +364,16 @@ static void smc_destruct(struct sock *sk)
 		return;
 	if (!sock_flag(sk, SOCK_DEAD))
 		return;
+	switch (sk->sk_family) {
+	case AF_INET:
+		inet_sock_destruct(sk);
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case AF_INET6:
+		inet6_sock_destruct(sk);
+		break;
+#endif
+	}
 }
 
 static struct lock_class_key smc_key;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 78ae10d06ed2e..cc59d0f03e261 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -283,7 +283,10 @@ struct smc_connection {
 };
 
 struct smc_sock {				/* smc sock container */
-	struct sock		sk;
+	union {
+		struct sock		sk;
+		struct inet_sock	icsk_inet;
+	};
 #if IS_ENABLED(CONFIG_IPV6)
 	struct ipv6_pinfo	*pinet6;
 #endif
Re: [syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu
Posted by Paolo Abeni 2 months, 4 weeks ago 
On 7/9/25 1:17 AM, Kuniyuki Iwashima wrote:
> From: syzbot <syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com>
> Date: Tue, 08 Jul 2025 15:54:02 -0700
>> Hello,
>>
>> syzbot tried to test the proposed patch but the build/boot failed:
>>
>> net/smc/af_smc.c:365:3: error: call to undeclared function 'inet_sock_destruct'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
>>
> 
> #syz test

Please, strip down the CC list to strictly skyzaller related recipients
while sending this kind of test, as they may foul PW and the CI.

Thanks,

Paolo
Re: [syzbot] [lsm?] [net?] WARNING in kvfree_call_rcu
Posted by syzbot 3 months ago 
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com
Tested-by: syzbot+40bf00346c3fe40f90f2@syzkaller.appspotmail.com

Tested on:

commit:         ec480130 Merge branches 'for-next/core' and 'for-next/..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17268a8c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9e99b6fcd403d050
dashboard link: https://syzkaller.appspot.com/bug?extid=40bf00346c3fe40f90f2
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13fa6bd4580000

Note: testing is done by a robot and is best-effort only.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.