From lkp at intel.com Sun Sep 1 05:13:38 2024 From: lkp at intel.com (kernel test robot) Date: Sun, 01 Sep 2024 05:13:38 -0000 Subject: [PATCH net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag In-Reply-To: <20240830194103.2186774-1-jrife@google.com> References: <20240830194103.2186774-1-jrife@google.com> Message-ID: <202409011256.CWrnquxQ-lkp@intel.com> Hi Jordan, kernel test robot noticed the following build warnings: [auto build test WARNING on net-next/main] url: https://github.com/intel-lab-lkp/linux/commits/Jordan-Rife/wireguard-allowedips-Add-WGALLOWEDIP_F_REMOVE_ME-flag/20240831-034712 base: net-next/main patch link: https://lore.kernel.org/r/20240830194103.2186774-1-jrife%40google.com patch subject: [PATCH net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag config: i386-randconfig-062-20240901 (https://download.01.org/0day-ci/archive/20240901/202409011256.CWrnquxQ-lkp at intel.com/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240901/202409011256.CWrnquxQ-lkp at intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Closes: https://lore.kernel.org/oe-kbuild-all/202409011256.CWrnquxQ-lkp at intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/net/wireguard/allowedips.c:257:24: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct list_head *entry @@ got struct list_head [noderef] __rcu * @@ drivers/net/wireguard/allowedips.c:257:24: sparse: expected struct list_head *entry drivers/net/wireguard/allowedips.c:257:24: sparse: got struct list_head [noderef] __rcu * >> drivers/net/wireguard/allowedips.c:258:9: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:269:24: sparse: sparse: cast removes address space '__rcu' of expression drivers/net/wireguard/allowedips.c:270:26: sparse: sparse: cast removes address space '__rcu' of expression >> drivers/net/wireguard/allowedips.c:276:19: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct callback_head *head @@ got struct callback_head [noderef] __rcu * @@ drivers/net/wireguard/allowedips.c:276:19: sparse: expected struct callback_head *head drivers/net/wireguard/allowedips.c:276:19: sparse: got struct callback_head [noderef] __rcu * drivers/net/wireguard/allowedips.c:294:18: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/net/wireguard/allowedips.c:294:18: sparse: struct wg_peer * drivers/net/wireguard/allowedips.c:294:18: sparse: struct wg_peer [noderef] __rcu * >> drivers/net/wireguard/allowedips.c:384:25: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct allowedips_node [noderef] __rcu *node @@ got struct allowedips_node *[assigned] node @@ >> drivers/net/wireguard/allowedips.c:258:9: sparse: sparse: dereference of noderef expression >> drivers/net/wireguard/allowedips.c:258:9: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:259:22: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:259:38: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:261:17: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:264:44: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:265:50: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:268:25: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:269:24: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:269:24: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:270:26: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:270:26: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:271:26: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:274:25: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:274:25: sparse: sparse: dereference of noderef expression drivers/net/wireguard/allowedips.c:274:25: sparse: sparse: dereference of noderef expression vim +257 drivers/net/wireguard/allowedips.c 251 252 static void _remove(struct allowedips_node __rcu *node, struct mutex *lock) 253 { 254 struct allowedips_node *child, **parent_bit, *parent; 255 bool free_parent; 256 > 257 list_del_init(&node->peer_list); > 258 RCU_INIT_POINTER(node->peer, NULL); 259 if (node->bit[0] && node->bit[1]) 260 return; 261 child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], 262 lockdep_is_held(lock)); 263 if (child) 264 child->parent_bit_packed = node->parent_bit_packed; 265 parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); 266 *parent_bit = child; 267 parent = (void *)parent_bit - 268 offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); 269 free_parent = !rcu_access_pointer(node->bit[0]) && 270 !rcu_access_pointer(node->bit[1]) && 271 (node->parent_bit_packed & 3) <= 1 && 272 !rcu_access_pointer(parent->peer); 273 if (free_parent) 274 child = rcu_dereference_protected(parent->bit[!(node->parent_bit_packed & 1)], 275 lockdep_is_held(lock)); > 276 call_rcu(&node->rcu, node_free_rcu); 277 if (!free_parent) 278 return; 279 if (child) 280 child->parent_bit_packed = parent->parent_bit_packed; 281 *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; 282 call_rcu(&parent->rcu, node_free_rcu); 283 } 284 285 static int remove(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, 286 u8 cidr, struct wg_peer *peer, struct mutex *lock) 287 { 288 struct allowedips_node *node; 289 290 if (unlikely(cidr > bits || !peer)) 291 return -EINVAL; 292 if (!rcu_access_pointer(*trie) || 293 !node_placement(*trie, key, cidr, bits, &node, lock) || 294 peer != node->peer) 295 return 0; 296 297 _remove(node, lock); 298 299 return 0; 300 } 301 302 void wg_allowedips_init(struct allowedips *table) 303 { 304 table->root4 = table->root6 = NULL; 305 table->seq = 1; 306 } 307 308 void wg_allowedips_free(struct allowedips *table, struct mutex *lock) 309 { 310 struct allowedips_node __rcu *old4 = table->root4, *old6 = table->root6; 311 312 ++table->seq; 313 RCU_INIT_POINTER(table->root4, NULL); 314 RCU_INIT_POINTER(table->root6, NULL); 315 if (rcu_access_pointer(old4)) { 316 struct allowedips_node *node = rcu_dereference_protected(old4, 317 lockdep_is_held(lock)); 318 319 root_remove_peer_lists(node); 320 call_rcu(&node->rcu, root_free_rcu); 321 } 322 if (rcu_access_pointer(old6)) { 323 struct allowedips_node *node = rcu_dereference_protected(old6, 324 lockdep_is_held(lock)); 325 326 root_remove_peer_lists(node); 327 call_rcu(&node->rcu, root_free_rcu); 328 } 329 } 330 331 int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip, 332 u8 cidr, struct wg_peer *peer, struct mutex *lock) 333 { 334 /* Aligned so it can be passed to fls */ 335 u8 key[4] __aligned(__alignof(u32)); 336 337 ++table->seq; 338 swap_endian(key, (const u8 *)ip, 32); 339 return add(&table->root4, 32, key, cidr, peer, lock); 340 } 341 342 int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, 343 u8 cidr, struct wg_peer *peer, struct mutex *lock) 344 { 345 /* Aligned so it can be passed to fls64 */ 346 u8 key[16] __aligned(__alignof(u64)); 347 348 ++table->seq; 349 swap_endian(key, (const u8 *)ip, 128); 350 return add(&table->root6, 128, key, cidr, peer, lock); 351 } 352 353 int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, 354 u8 cidr, struct wg_peer *peer, struct mutex *lock) 355 { 356 /* Aligned so it can be passed to fls */ 357 u8 key[4] __aligned(__alignof(u32)); 358 359 ++table->seq; 360 swap_endian(key, (const u8 *)ip, 32); 361 return remove(&table->root4, 32, key, cidr, peer, lock); 362 } 363 364 int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, 365 u8 cidr, struct wg_peer *peer, struct mutex *lock) 366 { 367 /* Aligned so it can be passed to fls64 */ 368 u8 key[16] __aligned(__alignof(u64)); 369 370 ++table->seq; 371 swap_endian(key, (const u8 *)ip, 128); 372 return remove(&table->root6, 128, key, cidr, peer, lock); 373 } 374 375 void wg_allowedips_remove_by_peer(struct allowedips *table, 376 struct wg_peer *peer, struct mutex *lock) 377 { 378 struct allowedips_node *node, *tmp; 379 380 if (list_empty(&peer->allowedips_list)) 381 return; 382 ++table->seq; 383 list_for_each_entry_safe(node, tmp, &peer->allowedips_list, peer_list) { > 384 _remove(node, lock); 385 } 386 } 387 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki From jrife at google.com Thu Sep 5 20:07:33 2024 From: jrife at google.com (Jordan Rife) Date: Thu, 05 Sep 2024 20:07:33 -0000 Subject: [PATCH v2 net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag Message-ID: <20240905200551.4099064-1-jrife@google.com> With the current API the only way to remove an allowed IP is to completely rebuild the allowed IPs set for a peer using WGPEER_F_REPLACE_ALLOWEDIPS. In other words, if my current configuration is such that a peer has allowed IP IPs 192.168.0.2 and 192.168.0.3 and I want to remove 192.168.0.2 the actual transition looks like this. [192.168.0.2, 192.168.0.3] <-- Initial state [] <-- Step 1: Allowed IPs removed for peer [192.168.0.3] <-- Step 2: Allowed IPs added back for peer This is true even if the allowed IP list is small and the update does not need to be batched into multiple WG_CMD_SET_DEVICE requests, as the removal and subsequent addition of IPs is non-atomic within a single request. Consequently, wg_allowedips_lookup_dst and wg_allowedips_lookup_src may return NULL while reconfiguring a peer even for packets bound for IPs a user did not intend to remove leading to unintended interruptions in connectivity. This presents in userspace as failed calls to sendto and sendmsg for UDP sockets. In my case, I ran netperf while repeatedly reconfiguring the allowed IPs for a peer with wg. /usr/local/bin/netperf -H 10.102.73.72 -l 10m -t UDP_STREAM -- -R 1 -m 1024 send_data: data send error: No route to host (errno 113) netperf: send_omni: send_data failed: No route to host While this may not be of particular concern for environments where peers and allowed IPs are mostly static, Cilium manages peers and allowed IPs in a dynamic environment where peers (i.e. Kubernetes nodes) and allowed IPs (i.e. Pods running on those nodes) can frequently change. Cilium must continually keep its WireGuard device's configuration in sync with its cluster state leading to unnecessary churn and packet drops. This patch introduces a new flag called WGALLOWEDIP_F_REMOVE_ME which in the same way that WGPEER_F_REMOVE_ME allows a user to remove a single peer from a WireGuard device's configuration allows a user to remove an IP from a peer's set of allowed IPs. This has two benefits. First, it allows systems such as Cilium to avoid introducing connectivity blips while reconfiguring a WireGuard device. Second, it allows us to more efficiently keep the device's configuration in sync with the cluster state, as we no longer need to do frequent rebuilds of the allowed IPs list for each peer. Instead, the device's configuration can be incrementally updated. This patch also bumps WG_GENL_VERSION which can be used by clients to detect whether or not their system supports the WGALLOWEDIP_F_REMOVE_ME flag. ======= Changes ======= v1->v2 ------ * Fixed some Sparse warnings Signed-off-by: Jordan Rife --- drivers/net/wireguard/allowedips.c | 103 ++++++++++---- drivers/net/wireguard/allowedips.h | 4 + drivers/net/wireguard/netlink.c | 45 +++++-- drivers/net/wireguard/selftest/allowedips.c | 30 +++++ include/uapi/linux/wireguard.h | 11 +- tools/testing/selftests/wireguard/Makefile | 18 +++ tools/testing/selftests/wireguard/netns.sh | 38 ++++++ tools/testing/selftests/wireguard/remove-ip.c | 126 ++++++++++++++++++ 8 files changed, 333 insertions(+), 42 deletions(-) create mode 100644 tools/testing/selftests/wireguard/Makefile create mode 100644 tools/testing/selftests/wireguard/remove-ip.c diff --git a/drivers/net/wireguard/allowedips.c b/drivers/net/wireguard/allowedips.c index 4b8528206cc8a..ff52259dd8d81 100644 --- a/drivers/net/wireguard/allowedips.c +++ b/drivers/net/wireguard/allowedips.c @@ -249,6 +249,56 @@ static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, return 0; } +static void _remove(struct allowedips_node *node, struct mutex *lock) +{ + struct allowedips_node *child, **parent_bit, *parent; + bool free_parent; + + list_del_init(&node->peer_list); + RCU_INIT_POINTER(node->peer, NULL); + if (node->bit[0] && node->bit[1]) + return; + child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], + lockdep_is_held(lock)); + if (child) + child->parent_bit_packed = node->parent_bit_packed; + parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); + *parent_bit = child; + parent = (void *)parent_bit - + offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); + free_parent = !rcu_access_pointer(node->bit[0]) && + !rcu_access_pointer(node->bit[1]) && + (node->parent_bit_packed & 3) <= 1 && + !rcu_access_pointer(parent->peer); + if (free_parent) + child = rcu_dereference_protected(parent->bit[!(node->parent_bit_packed & 1)], + lockdep_is_held(lock)); + call_rcu(&node->rcu, node_free_rcu); + if (!free_parent) + return; + if (child) + child->parent_bit_packed = parent->parent_bit_packed; + *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; + call_rcu(&parent->rcu, node_free_rcu); +} + +static int remove(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + struct allowedips_node *node; + + if (unlikely(cidr > bits || !peer)) + return -EINVAL; + if (!rcu_access_pointer(*trie) || + !node_placement(*trie, key, cidr, bits, &node, lock) || + peer != rcu_access_pointer(node->peer)) + return 0; + + _remove(node, lock); + + return 0; +} + void wg_allowedips_init(struct allowedips *table) { table->root4 = table->root6 = NULL; @@ -300,43 +350,38 @@ int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, return add(&table->root6, 128, key, cidr, peer, lock); } +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls */ + u8 key[4] __aligned(__alignof(u32)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 32); + return remove(&table->root4, 32, key, cidr, peer, lock); +} + +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls64 */ + u8 key[16] __aligned(__alignof(u64)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 128); + return remove(&table->root6, 128, key, cidr, peer, lock); +} + void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock) { - struct allowedips_node *node, *child, **parent_bit, *parent, *tmp; - bool free_parent; + struct allowedips_node *node, *tmp; if (list_empty(&peer->allowedips_list)) return; ++table->seq; list_for_each_entry_safe(node, tmp, &peer->allowedips_list, peer_list) { - list_del_init(&node->peer_list); - RCU_INIT_POINTER(node->peer, NULL); - if (node->bit[0] && node->bit[1]) - continue; - child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], - lockdep_is_held(lock)); - if (child) - child->parent_bit_packed = node->parent_bit_packed; - parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); - *parent_bit = child; - parent = (void *)parent_bit - - offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); - free_parent = !rcu_access_pointer(node->bit[0]) && - !rcu_access_pointer(node->bit[1]) && - (node->parent_bit_packed & 3) <= 1 && - !rcu_access_pointer(parent->peer); - if (free_parent) - child = rcu_dereference_protected( - parent->bit[!(node->parent_bit_packed & 1)], - lockdep_is_held(lock)); - call_rcu(&node->rcu, node_free_rcu); - if (!free_parent) - continue; - if (child) - child->parent_bit_packed = parent->parent_bit_packed; - *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; - call_rcu(&parent->rcu, node_free_rcu); + _remove(node, lock); } } diff --git a/drivers/net/wireguard/allowedips.h b/drivers/net/wireguard/allowedips.h index 2346c797eb4d8..931958cb6e100 100644 --- a/drivers/net/wireguard/allowedips.h +++ b/drivers/net/wireguard/allowedips.h @@ -38,6 +38,10 @@ int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock); /* The ip input pointer should be __aligned(__alignof(u64))) */ diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index f7055180ba4aa..5f2a8553ab43d 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -46,7 +46,8 @@ static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), - [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } + [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }, + [WGALLOWEDIP_A_FLAGS] = { .type = NLA_U32 } }; static struct wg_device *lookup_interface(struct nlattr **attrs, @@ -329,6 +330,7 @@ static int set_port(struct wg_device *wg, u16 port) static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) { int ret = -EINVAL; + u32 flags = 0; u16 family; u8 cidr; @@ -337,19 +339,38 @@ static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) return ret; family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]); cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]); + if (attrs[WGALLOWEDIP_A_FLAGS]) + flags = nla_get_u32(attrs[WGALLOWEDIP_A_FLAGS]); if (family == AF_INET && cidr <= 32 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) - ret = wg_allowedips_insert_v4( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); - else if (family == AF_INET6 && cidr <= 128 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) - ret = wg_allowedips_insert_v6( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + } else if (family == AF_INET6 && cidr <= 128 && + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + } return ret; } diff --git a/drivers/net/wireguard/selftest/allowedips.c b/drivers/net/wireguard/selftest/allowedips.c index 3d1f64ff2e122..9f6458a889e96 100644 --- a/drivers/net/wireguard/selftest/allowedips.c +++ b/drivers/net/wireguard/selftest/allowedips.c @@ -461,6 +461,10 @@ static __init struct wg_peer *init_peer(void) wg_allowedips_insert_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ cidr, mem, &mutex) +#define remove(version, mem, ipa, ipb, ipc, ipd, cidr) \ + wg_allowedips_remove_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ + cidr, mem, &mutex) + #define maybe_fail() do { \ ++i; \ if (!_s) { \ @@ -586,6 +590,32 @@ bool __init wg_allowedips_selftest(void) test_negative(4, a, 192, 0, 0, 0); test_negative(4, a, 255, 0, 0, 0); + insert(4, a, 1, 0, 0, 0, 32); + insert(4, a, 192, 0, 0, 0, 24); + insert(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + insert(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(4, a, 1, 0, 0, 0); + test(4, a, 192, 0, 0, 1); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + /* Must be an exact match to remove */ + remove(4, a, 192, 0, 0, 0, 32); + test(4, a, 192, 0, 0, 1); + remove(4, a, 192, 0, 0, 0, 24); + test_negative(4, a, 192, 0, 0, 1); + remove(4, a, 1, 0, 0, 0, 32); + test_negative(4, a, 1, 0, 0, 0); + /* Must be an exact match to remove */ + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 96); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + test_negative(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* Must match the peer to remove */ + remove(6, b, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + remove(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test_negative(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + wg_allowedips_free(&t, &mutex); wg_allowedips_init(&t); insert(4, a, 192, 168, 0, 0, 16); diff --git a/include/uapi/linux/wireguard.h b/include/uapi/linux/wireguard.h index ae88be14c9478..e219194cb9f5a 100644 --- a/include/uapi/linux/wireguard.h +++ b/include/uapi/linux/wireguard.h @@ -101,6 +101,10 @@ * WGALLOWEDIP_A_FAMILY: NLA_U16 * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 + * WGALLOWEDIP_A_FLAGS: NLA_U32, WGALLOWEDIP_F_REMOVE_ME if + * the specified IP should be removed, + * otherwise this IP will be added if + * it is not already present. * 0: NLA_NESTED * ... * 0: NLA_NESTED @@ -132,7 +136,7 @@ #define _WG_UAPI_WIREGUARD_H #define WG_GENL_NAME "wireguard" -#define WG_GENL_VERSION 1 +#define WG_GENL_VERSION 2 #define WG_KEY_LEN 32 @@ -184,11 +188,16 @@ enum wgpeer_attribute { }; #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) +enum wgallowedip_flag { + WGALLOWEDIP_F_REMOVE_ME = 1U << 0, + __WGALLOWEDIP_F_ALL = WGALLOWEDIP_F_REMOVE_ME +}; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, + WGALLOWEDIP_A_FLAGS, __WGALLOWEDIP_A_LAST }; #define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1) diff --git a/tools/testing/selftests/wireguard/Makefile b/tools/testing/selftests/wireguard/Makefile new file mode 100644 index 0000000000000..4f4db54f89cb3 --- /dev/null +++ b/tools/testing/selftests/wireguard/Makefile @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Note: To build this you must install libnl-3 and libnl-genl-3 development +# packages. +remove-ip: + gcc -I/usr/include/libnl3 \ + -I../../../../usr/include \ + remove-ip.c \ + -o remove-ip \ + -lnl-genl-3 \ + -lnl-3 + +.PHONY: all +all: remove-ip + +.PHONY: clean +clean: + rm remove-ip diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index 405ff262ca93d..70058d6ebbe85 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -28,6 +28,7 @@ exec 3>&1 export LANG=C export WG_HIDE_KEYS=never NPROC=( /sys/devices/system/cpu/cpu+([0-9]) ); NPROC=${#NPROC[@]} +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) netns0="wg-test-$$-0" netns1="wg-test-$$-1" netns2="wg-test-$$-2" @@ -610,6 +611,43 @@ n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips" } < <(n0 wg show wg0 allowed-ips) ip0 link del wg0 +# Test IP removal +allowedips=( ) +for i in {1..197}; do + allowedips+=( 192.168.0.$i ) + allowedips+=( abcd::$i ) +done +saved_ifs="$IFS" +IFS=, +allowedips="${allowedips[*]}" +IFS="$saved_ifs" +ip0 link add wg0 type wireguard +n0 wg set wg0 peer "$pub1" allowed-ips "$allowedips" +pub1_hex=$(echo "$pub1" | base64 -d | xxd -p -c 50) +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.1 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.20 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.100 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::1 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::20 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::100 +n0 wg show wg0 allowed-ips +{ + read -r pub allowedips + [[ $pub == "$pub1" ]] + i=0 + for ip in $allowedips; do + [[ "$ip" != "192.168.0.1" ]] + [[ "$ip" != "192.168.0.20" ]] + [[ "$ip" != "192.168.0.100" ]] + [[ "$ip" != "abcd::1" ]] + [[ "$ip" != "abcd::20" ]] + [[ "$ip" != "abcd::100" ]] + ((++i)) + done + ((i == 388)) +} < <(n0 wg show wg0 allowed-ips) +ip0 link del wg0 + ! n0 wg show doesnotexist || false ip0 link add wg0 type wireguard diff --git a/tools/testing/selftests/wireguard/remove-ip.c b/tools/testing/selftests/wireguard/remove-ip.c new file mode 100644 index 0000000000000..242f922d99b56 --- /dev/null +++ b/tools/testing/selftests/wireguard/remove-ip.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define CURVE25519_KEY_SIZE 32 + +const char *usage = "Usage: remove-ip INTERFACE_NAME PEER_PUBLIC_KEY_HEX IP_VERSION IP"; + +char h2b(char c) +{ + if ('0' <= c && c <= '9') + return c - '0'; + else if ('a' <= c && c <= 'f') + return 10 + (c - 'a'); + + return -1; +} + +int parse_key(const char *raw, unsigned char key[CURVE25519_KEY_SIZE]) +{ + int ret = 0; + int i; + + for (i = 0; i < CURVE25519_KEY_SIZE; i++) { + char h, l; + + h = h2b(raw[0]); + if (h < 0) + return -1; + + l = h2b(raw[1]); + if (l < 0) + return -1; + + key[i] = (h << 4) | l; + raw += 2; + } + + return 0; +} + +int main(int argc, char **argv) +{ + unsigned char addr[sizeof(struct in6_addr)]; + unsigned char pub_key[CURVE25519_KEY_SIZE]; + struct nl_sock *sock; + struct nl_msg *msg; + int addr_len; + int family; + int cidr; + int af; + + if (argc < 5) { + printf("Not enough arguments.\n\n%s\n", usage); + return -1; + } + + if (parse_key(argv[2], pub_key)) { + printf("Could not parse public key\n"); + return -1; + } + + switch (argv[3][0]) { + case '4': + af = AF_INET; + addr_len = sizeof(struct in_addr); + cidr = 32; + break; + case '6': + af = AF_INET6; + addr_len = sizeof(struct in6_addr); + cidr = 128; + break; + default: + printf("Invalid IP version\n"); + return -1; + } + + if (inet_pton(af, argv[4], &addr) <= 0) { + printf("Could not parse IP address\n"); + return -1; + } + + sock = nl_socket_alloc(); + genl_connect(sock); + family = genl_ctrl_resolve(sock, WG_GENL_NAME); + msg = nlmsg_alloc(); + genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family, 0, NLM_F_ECHO, + WG_CMD_SET_DEVICE, WG_GENL_VERSION); + nla_put_string(msg, WGDEVICE_A_IFNAME, argv[1]); + + struct nlattr *peers = nla_nest_start(msg, WGDEVICE_A_PEERS); + struct nlattr *peer0 = nla_nest_start(msg, 0); + + nla_put(msg, WGPEER_A_PUBLIC_KEY, CURVE25519_KEY_SIZE, pub_key); + + struct nlattr *allowed_ips = nla_nest_start(msg, WGPEER_A_ALLOWEDIPS); + struct nlattr *allowed_ip0 = nla_nest_start(msg, 0); + + nla_put_u16(msg, WGALLOWEDIP_A_FAMILY, af); + nla_put(msg, WGALLOWEDIP_A_IPADDR, addr_len, &addr); + nla_put_u8(msg, WGALLOWEDIP_A_CIDR_MASK, cidr); + nla_put_u32(msg, WGALLOWEDIP_A_FLAGS, WGALLOWEDIP_F_REMOVE_ME); + nla_nest_end(msg, allowed_ip0); + nla_nest_end(msg, allowed_ips); + nla_nest_end(msg, peer0); + nla_nest_end(msg, peers); + + int err = nl_send_sync(sock, msg); + + if (err < 0) { + char message[256]; + + nl_perror(err, message); + printf("An error occurred: %d - %s\n", err, message); + } + + return err; +} -- 2.46.0.598.g6f2099f65c-goog From syzbot+b0ae8f1abf7d891e0426 at syzkaller.appspotmail.com Sun Sep 15 19:59:28 2024 From: syzbot+b0ae8f1abf7d891e0426 at syzkaller.appspotmail.com (syzbot) Date: Sun, 15 Sep 2024 19:59:28 -0000 Subject: [syzbot] [wireguard?] INFO: task hung in tun_chr_close (5) Message-ID: <000000000000bd671b06222de427@google.com> Hello, syzbot found the following issue on: HEAD commit: 7c6a3a65ace7 minmax: reduce min/max macro expansion in ato.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140a20a9980000 kernel config: https://syzkaller.appspot.com/x/.config?x=28869f34c32848cf dashboard link: https://syzkaller.appspot.com/bug?extid=b0ae8f1abf7d891e0426 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/57e94d370ef7/disk-7c6a3a65.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/9ce7cfa54ff9/vmlinux-7c6a3a65.xz kernel image: https://storage.googleapis.com/syzbot-assets/bfe1c98724fe/bzImage-7c6a3a65.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b0ae8f1abf7d891e0426 at syzkaller.appspotmail.com INFO: task syz-executor:5223 blocked for more than 143 seconds. Not tainted 6.11.0-rc7-syzkaller-00021-g7c6a3a65ace7 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:21792 pid:5223 tgid:5223 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5188 [inline] __schedule+0xe37/0x5490 kernel/sched/core.c:6529 __schedule_loop kernel/sched/core.c:6606 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6621 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3e/0x230 drivers/net/tun.c:3510 __fput+0x408/0xbb0 fs/file_table.c:422 task_work_run+0x14e/0x250 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xaa3/0x2bb0 kernel/exit.c:882 do_group_exit+0xd3/0x2a0 kernel/exit.c:1031 get_signal+0x25fb/0x2770 kernel/signal.c:2917 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6f4917c93c RSP: 002b:00007ffd64f1bea0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f6f4917c93c RDX: 0000000000000028 RSI: 00007ffd64f1bf50 RDI: 00000000000000f9 RBP: 00007ffd64f1befc R08: 0000000000000000 R09: 0079746972756365 R10: 00007f6f493087e0 R11: 0000000000000246 R12: 000000000000005f R13: 00000000000529a3 R14: 000000000005292a R15: 00007ffd64f1bf50 INFO: task syz-executor:5234 blocked for more than 143 seconds. Not tainted 6.11.0-rc7-syzkaller-00021-g7c6a3a65ace7 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:23040 pid:5234 tgid:5234 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5188 [inline] __schedule+0xe37/0x5490 kernel/sched/core.c:6529 __schedule_loop kernel/sched/core.c:6606 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6621 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3e/0x230 drivers/net/tun.c:3510 __fput+0x408/0xbb0 fs/file_table.c:422 task_work_run+0x14e/0x250 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xaa3/0x2bb0 kernel/exit.c:882 do_group_exit+0xd3/0x2a0 kernel/exit.c:1031 get_signal+0x25fb/0x2770 kernel/signal.c:2917 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4023d7fdea RSP: 002b:00007ffcbd595968 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 RAX: 0000000000000000 RBX: 00007ffcbd5959f0 RCX: 00007f4023d7fdea RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000558 R09: 0079746972756365 R10: 00007f4023f07a60 R11: 0000000000000206 R12: 00007f4023f07a00 R13: 00007ffcbd59598c R14: 0000000000000000 R15: 00007f4023f08e40 Showing all locks held in the system: 2 locks held by kworker/0:1/9: 3 locks held by kworker/u8:0/11: #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206 #1: ffffc90000107d80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x921/0x1b40 kernel/workqueue.c:3207 #2: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:276 4 locks held by kworker/1:0/25: 1 lock held by khungtaskd/30: #0: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline] #0: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #0: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6626 4 locks held by kworker/u8:5/63: #0: ffff88801bae3148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206 #1: ffffc900015e7d80 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x921/0x1b40 kernel/workqueue.c:3207 #2: ffffffff8fa20290 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xbb/0xbb0 net/core/net_namespace.c:594 #3: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1b/0x230 drivers/net/wireguard/device.c:414 2 locks held by kworker/u8:8/2961: 2 locks held by getty/4978: #0: ffff88823bd5c8a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc8/0x1490 drivers/tty/n_tty.c:2211 1 lock held by syz-executor/5223: #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3e/0x230 drivers/net/tun.c:3510 1 lock held by syz-executor/5225: #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3e/0x230 drivers/net/tun.c:3510 1 lock held by syz-executor/5234: #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fa35ca8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3e/0x230 drivers/net/tun.c:3510 1 lock held by syz-executor/5233: 2 locks held by kworker/1:5/5281: 2 locks held by kworker/1:6/5283: 5 locks held by kworker/0:4/5312: 3 locks held by kworker/0:5/5313: 3 locks held by kworker/0:6/5320: 3 locks held by kworker/0:7/5321: #0: ffff88801ac80948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206 #1: ffffc900040a7d80 ((work_completion)(&w->work)#2){+.+.}-{0:0}, at: process_one_work+0x921/0x1b40 kernel/workqueue.c:3207 #2: ffffffff8fae8fe8 (nf_conntrack_mutex){+.+.}-{3:3}, at: nf_ct_iterate_cleanup+0x4b/0x500 net/netfilter/nf_conntrack_core.c:2403 3 locks held by kworker/1:9/10282: 2 locks held by syz-executor/10298: 1 lock held by syz-executor/10299: ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-rc7-syzkaller-00021-g7c6a3a65ace7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xf0c/0x1240 kernel/hung_task.c:379 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 5312 Comm: kworker/0:4 Not tainted 6.11.0-rc7-syzkaller-00021-g7c6a3a65ace7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events nsim_dev_trap_report_work RIP: 0010:__sanitizer_cov_trace_pc+0x18/0x70 kernel/kcov.c:212 Code: 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 15 a4 0a 78 7e 65 8b 05 a5 0a 78 7e a9 00 01 ff 00 <48> 8b 34 24 74 1d f6 c4 01 74 43 a9 00 00 0f 00 75 3c a9 00 00 f0 RSP: 0018:ffffc90000007978 EFLAGS: 00000206 RAX: 0000000000000102 RBX: 0000000000000001 RCX: ffffffff88f20744 RDX: ffff888032b89e00 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88806b965500 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90000007c00 R13: 000000000003db0c R14: ffffffff88f244f1 R15: 000000000000001b FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb6cf5ffd00 CR3: 00000000693da000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __netif_receive_skb_core.constprop.0+0x139/0x4330 net/core/dev.c:5463 __netif_receive_skb_one_core+0xb1/0x1e0 net/core/dev.c:5659 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5775 process_backlog+0x443/0x15f0 net/core/dev.c:6108 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa92/0x1010 net/core/dev.c:6963 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] nsim_dev_trap_report_work+0x870/0xc80 drivers/net/netdevsim/dev.c:850 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From tklauser at distanz.ch Thu Sep 19 08:57:52 2024 From: tklauser at distanz.ch (Tobias Klauser) Date: Thu, 19 Sep 2024 08:57:52 -0000 Subject: [PATCH net-next] wireguard: Omit unnecessary memset of netdev private data Message-ID: <20240919085746.16904-1-tklauser@distanz.ch> The memory for netdev_priv is allocated using kvzalloc in alloc_netdev_mqs before rtnl_link_ops->setup is called so there is no need to zero it again in wg_setup. Signed-off-by: Tobias Klauser --- drivers/net/wireguard/device.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c index 45e9b908dbfb..a2ba71fbbed4 100644 --- a/drivers/net/wireguard/device.c +++ b/drivers/net/wireguard/device.c @@ -302,7 +302,6 @@ static void wg_setup(struct net_device *dev) /* We need to keep the dst around in case of icmp replies. */ netif_keep_dst(dev); - memset(wg, 0, sizeof(*wg)); wg->dev = dev; } -- 2.43.0 From horms at kernel.org Thu Sep 19 12:16:23 2024 From: horms at kernel.org (Simon Horman) Date: Thu, 19 Sep 2024 12:16:23 -0000 Subject: [PATCH net-next] wireguard: Omit unnecessary memset of netdev private data In-Reply-To: <20240919085746.16904-1-tklauser@distanz.ch> References: <20240919085746.16904-1-tklauser@distanz.ch> Message-ID: <20240919121616.GF1044577@kernel.org> On Thu, Sep 19, 2024 at 10:57:46AM +0200, Tobias Klauser wrote: > The memory for netdev_priv is allocated using kvzalloc in > alloc_netdev_mqs before rtnl_link_ops->setup is called so there is no > need to zero it again in wg_setup. > > Signed-off-by: Tobias Klauser Reviewed-by: Simon Horman ... From Jason at zx2c4.com Fri Sep 20 15:27:19 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 20 Sep 2024 15:27:19 -0000 Subject: [PATCH net-next] wireguard: Omit unnecessary memset of netdev private data In-Reply-To: <20240919085746.16904-1-tklauser@distanz.ch> References: <20240919085746.16904-1-tklauser@distanz.ch> Message-ID: On Thu, Sep 19, 2024 at 10:57:46AM +0200, Tobias Klauser wrote: > The memory for netdev_priv is allocated using kvzalloc in > alloc_netdev_mqs before rtnl_link_ops->setup is called so there is no > need to zero it again in wg_setup. > > Signed-off-by: Tobias Klauser Thanks. Seems reasonable to me. I'll queue it up in the wireguard tree. Jason From jannh at google.com Sun Sep 22 01:11:38 2024 From: jannh at google.com (Jann Horn) Date: Sun, 22 Sep 2024 01:11:38 -0000 Subject: lockdep detected circular locking between rtnl_mutex and pm_chain_head.rwsem [wireguard and r8152] Message-ID: Hi! While trying out a kernel at commit 88264981f2082248e892a706b2c5004650faac54 (latest mainline) with lockdep enabled, I hit a lockdep warning - it looks like wireguard takes the rtnl_lock in a PM callback (meaning pm_chain_head.rwsem is already held), while r8152 registers a PM callback in a context where the rtnl_lock is held, and this makes lockdep unhappy. But I don't know enough about the PM code to know which of those is the problem or whether this race could even occur. I'm also not sure whether this is a regression - I don't usually run lockdep kernels on this machine. [ 1749.181131] PM: suspend entry (s2idle) [ 1749.209736] Filesystems sync: 0.028 seconds [ 1749.220240] ====================================================== [ 1749.220242] WARNING: possible circular locking dependency detected [ 1749.220244] 6.11.0-slowkasan+ #140 Not tainted [ 1749.220247] ------------------------------------------------------ [ 1749.220249] systemd-sleep/5239 is trying to acquire lock: [ 1749.220252] ffffffffb1156c88 (rtnl_mutex){+.+.}-{3:3}, at: wg_pm_notification (drivers/net/wireguard/device.c:81 drivers/net/wireguard/device.c:64) [ 1749.220265] but task is already holding lock: [ 1749.220267] ffffffffb077e170 ((pm_chain_head).rwsem){++++}-{3:3}, at: blocking_notifier_call_chain_robust (kernel/notifier.c:128 kernel/notifier.c:353 kernel/notifier.c:341) [ 1749.220277] which lock already depends on the new lock. [ 1749.220279] the existing dependency chain (in reverse order) is: [ 1749.220281] -> #1 ((pm_chain_head).rwsem){++++}-{3:3}: [ 1749.220287] down_write (./arch/x86/include/asm/preempt.h:79 kernel/locking/rwsem.c:1304 kernel/locking/rwsem.c:1315 kernel/locking/rwsem.c:1580) [ 1749.220292] blocking_notifier_chain_register (kernel/notifier.c:272 kernel/notifier.c:290) [ 1749.220295] rtl8152_open (drivers/net/usb/r8152.c:6994) [ 1749.220300] __dev_open (net/core/dev.c:1476) [ 1749.220304] __dev_change_flags (net/core/dev.c:8837) [ 1749.220308] dev_change_flags (net/core/dev.c:8909) [ 1749.220311] do_setlink (net/core/rtnetlink.c:2900) [ 1749.220315] __rtnl_newlink (net/core/rtnetlink.c:3696) [ 1749.220318] rtnl_newlink (net/core/rtnetlink.c:3744) [ 1749.220322] rtnetlink_rcv_msg (net/core/rtnetlink.c:6646) [ 1749.220325] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 1749.220329] netlink_unicast (net/netlink/af_netlink.c:1331 net/netlink/af_netlink.c:1357) [ 1749.220332] netlink_sendmsg (net/netlink/af_netlink.c:1901) [ 1749.220335] ____sys_sendmsg (net/socket.c:730 net/socket.c:745 net/socket.c:2603) [ 1749.220339] ___sys_sendmsg (net/socket.c:2659) [ 1749.220342] __sys_sendmsg (net/socket.c:2686) [ 1749.220344] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 1749.220348] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 1749.220352] -> #0 (rtnl_mutex){+.+.}-{3:3}: [ 1749.220357] __lock_acquire (kernel/locking/lockdep.c:3159 kernel/locking/lockdep.c:3277 kernel/locking/lockdep.c:3901 kernel/locking/lockdep.c:5199) [ 1749.220362] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5824 kernel/locking/lockdep.c:5787) [ 1749.220365] __mutex_lock (kernel/locking/mutex.c:610 kernel/locking/mutex.c:752) [ 1749.220369] wg_pm_notification (drivers/net/wireguard/device.c:81 drivers/net/wireguard/device.c:64) [ 1749.220372] notifier_call_chain (kernel/notifier.c:93) [ 1749.220375] blocking_notifier_call_chain_robust (kernel/notifier.c:129 kernel/notifier.c:353 kernel/notifier.c:341) [ 1749.220378] pm_notifier_call_chain_robust (./include/linux/notifier.h:207 kernel/power/main.c:104) [ 1749.220382] pm_suspend (kernel/power/suspend.c:367 kernel/power/suspend.c:588 kernel/power/suspend.c:625) [ 1749.220386] state_store (kernel/power/main.c:746) [ 1749.220389] kernfs_fop_write_iter (fs/kernfs/file.c:334) [ 1749.220393] vfs_write (fs/read_write.c:590 fs/read_write.c:683) [ 1749.220397] ksys_write (fs/read_write.c:736) [ 1749.220399] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 1749.220402] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 1749.220406] other info that might help us debug this: [ 1749.220408] Possible unsafe locking scenario: [ 1749.220409] CPU0 CPU1 [ 1749.220411] ---- ---- [ 1749.220413] rlock((pm_chain_head).rwsem); [ 1749.220416] lock(rtnl_mutex); [ 1749.220420] lock((pm_chain_head).rwsem); [ 1749.220423] lock(rtnl_mutex); [ 1749.220426] *** DEADLOCK *** [ 1749.220428] 5 locks held by systemd-sleep/5239: [ 1749.220430] #0: ffff888125d2e3f8 (sb_writers#6){.+.+}-{0:0}, at: ksys_write (fs/read_write.c:736) [ 1749.220439] #1: ffff8881e5cb9888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter (fs/kernfs/file.c:326) [ 1749.220447] #2: ffff888460aee2d8 (kn->active#166){.+.+}-{0:0}, at: kernfs_fop_write_iter (fs/kernfs/file.c:326) [ 1749.220455] #3: ffffffffb0757008 (system_transition_mutex){+.+.}-{3:3}, at: pm_suspend (kernel/power/suspend.c:574 kernel/power/suspend.c:625) [ 1749.220463] #4: ffffffffb077e170 ((pm_chain_head).rwsem){++++}-{3:3}, at: blocking_notifier_call_chain_robust (kernel/notifier.c:128 kernel/notifier.c:353 kernel/notifier.c:341) [ 1749.220471] stack backtrace: [ 1749.220474] CPU: 1 UID: 0 PID: 5239 Comm: systemd-sleep Not tainted 6.11.0-slowkasan+ #140 [ 1749.220478] Hardware name: [...] [ 1749.220480] Call Trace: [ 1749.220483] [ 1749.220485] dump_stack_lvl (lib/dump_stack.c:124) [ 1749.220491] print_circular_bug (kernel/locking/lockdep.c:2077) [ 1749.220496] check_noncircular (kernel/locking/lockdep.c:2203) [...] [ 1749.220519] __lock_acquire (kernel/locking/lockdep.c:3159 kernel/locking/lockdep.c:3277 kernel/locking/lockdep.c:3901 kernel/locking/lockdep.c:5199) [...] [ 1749.220546] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5824 kernel/locking/lockdep.c:5787) [...] [ 1749.220577] __mutex_lock (kernel/locking/mutex.c:610 kernel/locking/mutex.c:752) [...] [ 1749.220627] wg_pm_notification (drivers/net/wireguard/device.c:81 drivers/net/wireguard/device.c:64) [ 1749.220631] notifier_call_chain (kernel/notifier.c:93) [ 1749.220636] blocking_notifier_call_chain_robust (kernel/notifier.c:129 kernel/notifier.c:353 kernel/notifier.c:341) [...] [ 1749.220649] pm_notifier_call_chain_robust (./include/linux/notifier.h:207 kernel/power/main.c:104) [ 1749.220652] pm_suspend (kernel/power/suspend.c:367 kernel/power/suspend.c:588 kernel/power/suspend.c:625) [ 1749.220656] state_store (kernel/power/main.c:746) [ 1749.220661] kernfs_fop_write_iter (fs/kernfs/file.c:334) [ 1749.220665] vfs_write (fs/read_write.c:590 fs/read_write.c:683) [...] [ 1749.220693] ksys_write (fs/read_write.c:736) [...] [ 1749.220701] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 1749.220704] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 1749.220708] RIP: 0033:0x7fe2e2917240 [...] [ 1749.220735] [ 1749.223599] Freezing user space processes [ 1749.226307] Freezing user space processes completed (elapsed 0.002 seconds) From houmie at gmail.com Mon Sep 23 07:38:17 2024 From: houmie at gmail.com (Houman) Date: Mon, 23 Sep 2024 07:38:17 -0000 Subject: WireGuard Apple: Xcode 16.0 compatibility issues - Urgent fix needed Message-ID: This project is in urgent need of maintenance to make it work with Xcode 16.0. First I had to update Swift-tools-version:5.5 in Package.swift to be able to even add the library via Swift Package Manager to my project. After that despite following all the integration instructions, I see errors that I have never seen before: ".../WireGuardKitC/WireGuardKitC.h:10:5 Declaration of 'u_int32_t' must be imported from module 'DarwinFoundation.unsigned_types.u_int32_t' before it is required" ".../WireGuardKitC/WireGuardKitC.h:14:5 Declaration of 'u_char' must be imported from module 'DarwinFoundation.unsigned_types.u_char' before it is required" ".../WireGuardKitC/WireGuardKitC.h:16:5 Declaration of 'u_int16_t' must be imported from module 'DarwinFoundation.unsigned_types.u_int16_t' before it is required" Jason can you please fix this? Or alternatively if Jason is too busy, is there any reliable fork from WireGuard that is being maintained, please? Thank you so much. Houman From edumazet at google.com Mon Sep 23 18:46:58 2024 From: edumazet at google.com (Eric Dumazet) Date: Mon, 23 Sep 2024 18:46:58 -0000 Subject: wireguard/napi stuck in napi_disable In-Reply-To: References: Message-ID: On Mon, Sep 23, 2024 at 8:23?PM Ignat Korchagin wrote: > > Hello, > > We run calico on our Kubernetes cluster, which uses Wireguard to > encrypt in-cluster traffic [1]. Recently we tried to improve the > throughput of the cluster and eliminate some packet drops we?re seeing > by switching on threaded NAPI [2] on these managed Wireguard > interfaces. However, our Kubernetes hosts started to lock up once in a > while. > > Analyzing one stuck host with drgn we were able to confirm that the > code is just waiting in this loop [3] for the NAPI_STATE_SCHED bit to > be cleared for the Wireguard peer napi instance, but that never > happens for some reason. For context the full state of the stuck napi > instance is 0b100110111. What makes things worse - this happens when > calico removes a Wireguard peer, which happens while holding the > global rtnl_mutex, so all the other tasks requiring that mutex get > stuck as well. > > Full stacktrace of the ?looping? task: > > #0 context_switch (linux/kernel/sched/core.c:5380:2) > #1 __schedule (linux/kernel/sched/core.c:6698:8) > #2 schedule (linux/kernel/sched/core.c:6772:3) > #3 schedule_hrtimeout_range_clock (linux/kernel/time/hrtimer.c:2311:3) > #4 usleep_range_state (linux/kernel/time/timer.c:2363:8) > #5 usleep_range (linux/include/linux/delay.h:68:2) > #6 napi_disable (linux/net/core/dev.c:6477:4) > #7 peer_remove_after_dead (linux/drivers/net/wireguard/peer.c:120:2) > #8 set_peer (linux/drivers/net/wireguard/netlink.c:425:3) > #9 wg_set_device (linux/drivers/net/wireguard/netlink.c:592:10) > #10 genl_family_rcv_msg_doit (linux/net/netlink/genetlink.c:971:8) > #11 genl_family_rcv_msg (linux/net/netlink/genetlink.c:1051:10) > #12 genl_rcv_msg (linux/net/netlink/genetlink.c:1066:8) > #13 netlink_rcv_skb (linux/net/netlink/af_netlink.c:2545:9) > #14 genl_rcv (linux/net/netlink/genetlink.c:1075:2) > #15 netlink_unicast_kernel (linux/net/netlink/af_netlink.c:1342:3) > #16 netlink_unicast (linux/net/netlink/af_netlink.c:1368:10) > #17 netlink_sendmsg (linux/net/netlink/af_netlink.c:1910:8) > #18 sock_sendmsg_nosec (linux/net/socket.c:730:12) > #19 __sock_sendmsg (linux/net/socket.c:745:16) > #20 ____sys_sendmsg (linux/net/socket.c:2560:8) > #21 ___sys_sendmsg (linux/net/socket.c:2614:8) > #22 __sys_sendmsg (linux/net/socket.c:2643:8) > #23 do_syscall_x64 (linux/arch/x86/entry/common.c:51:14) > #24 do_syscall_64 (linux/arch/x86/entry/common.c:81:7) > #25 entry_SYSCALL_64+0x9c/0x184 (linux/arch/x86/entry/entry_64.S:121) > > We have also noticed that a similar issue is observed, when we switch > Wireguard threaded NAPI back to off: removing a Wireguard peer task > may still spend a considerable amount of time in the above loop (and > hold rtnl_mutex), however the host eventually recovers from this > state. > > So the questions are: > 1. Any ideas why NAPI_STATE_SCHED bit never gets cleared for the > threaded NAPI case in Wireguard? > 2. Is it generally a good idea for Wireguard to loop for an > indeterminate amount of time, while holding the rtnl_mutex? Or can it > be refactored? > > We have observed the problem on Linux 6.6.47 and 6.6.48. We did try to > downgrade the kernel a couple of patch revisions, but it did not help > and our logs indicate that at least the non-threaded prolonged holding > of the rtnl_mutex is happening for a while now. > > [1]: https://docs.tigera.io/calico/latest/network-policy/encrypt-cluster-pod-traffic > [2]: https://docs.kernel.org/networking/napi.html#threaded > [3]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/core/dev.c?h=v6.6.48#n6476 Somehow wireguard continuously feeds packets without checking it should not (IFF_UP or some other bit) napi_schedule() detects NAPIF_STATE_DISABLE, and napi_disable_pending() is also used from __napi_poll() to avoid adding back the napi if the whole budget was consumed. Not sure, more debugging might be needed. From syzbot+c0f4a2553a2527b3fc1f at syzkaller.appspotmail.com Tue Sep 24 12:55:23 2024 From: syzbot+c0f4a2553a2527b3fc1f at syzkaller.appspotmail.com (syzbot) Date: Tue, 24 Sep 2024 12:55:23 -0000 Subject: [syzbot] [wireguard?] general protection fault in wg_packet_receive (2) Message-ID: <66f2b6b9.050a0220.3eed3.002d.GAE@google.com> Hello, syzbot found the following issue on: HEAD commit: de5cb0dcb74c Merge branch 'address-masking' git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=167ce19f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=74ffdb3b3fad1a43 dashboard link: https://syzkaller.appspot.com/bug?extid=c0f4a2553a2527b3fc1f compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/6dde53474dba/disk-de5cb0dc.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/6a60a36c2a3b/vmlinux-de5cb0dc.xz kernel image: https://storage.googleapis.com/syzbot-assets/f3f799d774bf/bzImage-de5cb0dc.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c0f4a2553a2527b3fc1f at syzkaller.appspotmail.com Oops: general protection fault, probably for non-canonical address 0xedfd63131ffff113: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x6feb3898ffff8898-0x6feb3898ffff889f] CPU: 1 UID: 0 PID: 6046 Comm: kworker/1:8 Not tainted 6.11.0-syzkaller-08833-gde5cb0dcb74c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: wg-kex-wg0 wg_packet_handshake_receive_worker RIP: 0010:__lock_acquire+0x69/0x2050 kernel/locking/lockdep.c:5062 Code: b6 04 30 84 c0 0f 85 9b 16 00 00 45 31 f6 83 3d 88 66 ab 0e 00 0f 84 b6 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 f9 27 8b 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc90000a17fd0 EFLAGS: 00010002 RAX: 0dfd67131ffff113 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 6feb3898ffff8898 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: dffffc0000000000 R11: fffffbfff2036ac6 R12: ffff88801e783c00 R13: 0000000000000001 R14: 0000000000000000 R15: 6feb3898ffff8898 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd8f5bfa440 CR3: 0000000029774000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5822 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 __queue_work+0x759/0xf50 queue_work_on+0x1c2/0x380 kernel/workqueue.c:2390 wg_packet_receive+0x133a/0x2570 drivers/net/wireguard/receive.c:570 wg_receive+0x75/0xa0 drivers/net/wireguard/socket.c:326 udpv6_queue_rcv_one_skb+0x1695/0x18a0 net/ipv6/udp.c:726 udp6_unicast_rcv_skb+0x230/0x370 net/ipv6/udp.c:928 ip6_protocol_deliver_rcu+0xccf/0x1580 net/ipv6/ip6_input.c:436 ip6_input_finish+0x187/0x2d0 net/ipv6/ip6_input.c:481 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 wg_socket_send_skb_to_peer+0x176/0x1d0 drivers/net/wireguard/socket.c:184 wg_packet_send_handshake_response+0x198/0x2e0 drivers/net/wireguard/send.c:103 wg_receive_handshake_packet drivers/net/wireguard/receive.c:154 [inline] wg_packet_handshake_receive_worker+0x5e6/0xf50 drivers/net/wireguard/receive.c:213 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire+0x69/0x2050 kernel/locking/lockdep.c:5062 Code: b6 04 30 84 c0 0f 85 9b 16 00 00 45 31 f6 83 3d 88 66 ab 0e 00 0f 84 b6 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 f9 27 8b 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc90000a17fd0 EFLAGS: 00010002 RAX: 0dfd67131ffff113 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 6feb3898ffff8898 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: dffffc0000000000 R11: fffffbfff2036ac6 R12: ffff88801e783c00 R13: 0000000000000001 R14: 0000000000000000 R15: 6feb3898ffff8898 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd8f5bfa440 CR3: 0000000029774000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: b6 04 mov $0x4,%dh 2: 30 84 c0 0f 85 9b 16 xor %al,0x169b850f(%rax,%rax,8) 9: 00 00 add %al,(%rax) b: 45 31 f6 xor %r14d,%r14d e: 83 3d 88 66 ab 0e 00 cmpl $0x0,0xeab6688(%rip) # 0xeab669d 15: 0f 84 b6 13 00 00 je 0x13d1 1b: 89 54 24 54 mov %edx,0x54(%rsp) 1f: 89 5c 24 68 mov %ebx,0x68(%rsp) 23: 4c 89 f8 mov %r15,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction 2e: 74 12 je 0x42 30: 4c 89 ff mov %r15,%rdi 33: e8 f9 27 8b 00 call 0x8b2831 38: 48 rex.W 39: be 00 00 00 00 mov $0x0,%esi 3e: 00 fc add %bh,%ah --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+f2fbf7478a35a94c8b7c at syzkaller.appspotmail.com Wed Sep 25 23:05:28 2024 From: syzbot+f2fbf7478a35a94c8b7c at syzkaller.appspotmail.com (syzbot) Date: Wed, 25 Sep 2024 23:05:28 -0000 Subject: [syzbot] [wireguard?] INFO: task hung in wg_netns_pre_exit (5) Message-ID: <66f49736.050a0220.211276.0036.GAE@google.com> Hello, syzbot found the following issue on: HEAD commit: aa486552a110 Merge tag 'memblock-v6.12-rc1' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10795907980000 kernel config: https://syzkaller.appspot.com/x/.config?x=6c71bad3e6ab6955 dashboard link: https://syzkaller.appspot.com/bug?extid=f2fbf7478a35a94c8b7c compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/7c6beec63de3/disk-aa486552.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/fa35efb3dd39/vmlinux-aa486552.xz kernel image: https://storage.googleapis.com/syzbot-assets/537d8ff45d85/bzImage-aa486552.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f2fbf7478a35a94c8b7c at syzkaller.appspotmail.com INFO: task kworker/u8:4:62 blocked for more than 147 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:4 state:D stack:22032 pid:62 tgid:62 ppid:2 flags:0x00004000 Workqueue: netns cleanup_net Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414 ops_pre_exit_list net/core/net_namespace.c:163 [inline] cleanup_net+0x615/0xcc0 net/core/net_namespace.c:606 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task kworker/1:6:5282 blocked for more than 148 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:6 state:D stack:20280 pid:5282 tgid:5282 ppid:2 flags:0x00004000 Workqueue: events_power_efficient reg_check_chans_work Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 reg_check_chans_work+0x99/0xfd0 net/wireless/reg.c:2480 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task syz.3.199:5864 blocked for more than 149 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.199 state:D stack:26112 pid:5864 tgid:5864 ppid:5247 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 get_signal+0x176f/0x1810 kernel/signal.c:2936 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5630baffe5 RSP: 002b:00007f5631a32f80 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 RAX: fffffffffffffdfc RBX: 00007f5630d35f80 RCX: 00007f5630baffe5 RDX: 00007f5631a32fc0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007f5630bf0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f5630d35f80 R15: 00007f5630e5fa28 INFO: task syz-executor:7290 blocked for more than 149 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:20696 pid:7290 tgid:7290 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 get_signal+0x176f/0x1810 kernel/signal.c:2936 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fef8cf7c93c RSP: 002b:00007fef8d25fd90 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fef8cf7c93c RDX: 0000000000000028 RSI: 00007fef8d25fe40 RDI: 00000000000000f9 RBP: 00007fef8d25fdec R08: 0000000000000000 R09: 0079746972756365 R10: 00007fef8d1087e0 R11: 0000000000000246 R12: 0000000000000032 R13: 000000000002d01e R14: 000000000002c93a R15: 00007fef8d25fe40 INFO: task syz-executor:7963 blocked for more than 150 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26512 pid:7963 tgid:7963 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0fcc97f6f7 RSP: 002b:00007f0fccc5ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f0fcc9f22ec RCX: 00007f0fcc97f6f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007f0fcd667d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:7964 blocked for more than 150 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26520 pid:7964 tgid:7964 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f73df37f6f7 RSP: 002b:00007f73df65ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f73df3f22ec RCX: 00007f73df37f6f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007f73e0067d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:7967 blocked for more than 151 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26400 pid:7967 tgid:7967 ppid:1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb3ccf7f6f7 RSP: 002b:00007fb3cd25ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007fb3ccff22ec RCX: 00007fb3ccf7f6f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007fb3cdc67d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:7968 blocked for more than 151 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26736 pid:7968 tgid:7968 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1cc77f6f7 RSP: 002b:00007fe1cca5ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007fe1cc7f22ec RCX: 00007fe1cc77f6f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007fe1cd467d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:7970 blocked for more than 151 seconds. Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26592 pid:7970 tgid:7970 ppid:1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fed4d37f6f7 RSP: 002b:00007fed4d65ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007fed4d3f22ec RCX: 00007fed4d37f6f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007fed4e067d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 Showing all locks held in the system: 4 locks held by kworker/0:1/9: 1 lock held by khungtaskd/30: #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6701 3 locks held by kworker/u8:2/35: #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc90000ab7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc90000ab7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276 4 locks held by kworker/u8:4/62: #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc900015d7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc900015d7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:580 #3: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414 3 locks held by kworker/u8:5/742: #0: ffff88802e0c8948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88802e0c8948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc900035bfd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc900035bfd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4736 3 locks held by kworker/0:2/939: #0: ffff88801ac80948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801ac80948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc90003cb7d00 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc90003cb7d00 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104 2 locks held by kworker/u8:7/2511: 2 locks held by getty/4983: #0: ffff88814ce900a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211 3 locks held by kworker/1:6/5282: #0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc90004497d00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc90004497d00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x99/0xfd0 net/wireless/reg.c:2480 1 lock held by syz.3.199/5864: #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 2 locks held by syz-executor/6709: #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 #1: ffffffff8e7d1dd0 (cpu_hotplug_lock){++++}-{0:0}, at: flush_all_backlogs net/core/dev.c:6021 [inline] #1: ffffffff8e7d1dd0 (cpu_hotplug_lock){++++}-{0:0}, at: unregister_netdevice_many_notify+0x5ea/0x1da0 net/core/dev.c:11380 1 lock held by syz-executor/7290: #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 2 locks held by syz-executor/7963: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7964: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7967: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7968: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7970: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7987: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7989: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7993: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7995: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/7996: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/8007: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/8009: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/8011: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/8016: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/8020: #0: ffffffff8fcc4dd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd18c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xff4/0x1040 kernel/hung_task.c:379 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-syzkaller-10622-gaa486552a110 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events_power_efficient neigh_periodic_work RIP: 0010:unwind_next_frame+0x4c0/0x22d0 arch/x86/kernel/unwind_orc.c:512 Code: e8 03 42 0f b6 04 20 84 c0 0f 85 8a 16 00 00 41 0f b7 1f c1 eb 0b 80 e3 01 48 8b 44 24 28 42 0f b6 04 20 84 c0 4c 8b 74 24 78 <0f> 85 8d 16 00 00 48 8b 04 24 88 18 41 0f b7 1f 83 e3 0f 83 fb 05 RSP: 0018:ffffc90000006c70 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9035b3dc RDX: ffffffff90af2768 RSI: ffffffff90af273e RDI: 0000000000000001 RBP: ffffc90000006d90 R08: 000000000000000b R09: ffffc90000006e30 R10: ffffc90000006d90 R11: ffffffff81806870 R12: dffffc0000000000 R13: ffffc90000006d40 R14: ffffc90000006d78 R15: ffffffff90af276c FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f41d2cab1cb CR3: 000000000e734000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2343 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x1a2/0x420 mm/slub.c:4682 nft_synproxy_eval_v4+0x3d2/0x610 net/netfilter/nft_synproxy.c:60 nft_synproxy_do_eval+0x362/0xa60 net/netfilter/nft_synproxy.c:141 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 neigh_periodic_work+0xb35/0xd50 net/core/neighbour.c:1019 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+7da6c19dc528c2ebc612 at syzkaller.appspotmail.com Mon Sep 30 04:20:27 2024 From: syzbot+7da6c19dc528c2ebc612 at syzkaller.appspotmail.com (syzbot) Date: Mon, 30 Sep 2024 04:20:27 -0000 Subject: [syzbot] [wireguard?] INFO: task hung in wg_destruct (2) Message-ID: <66fa2708.050a0220.aab67.0025.GAE@google.com> Hello, syzbot found the following issue on: HEAD commit: 3efc57369a0c Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17590ea9980000 kernel config: https://syzkaller.appspot.com/x/.config?x=a4fcb065287cdb84 dashboard link: https://syzkaller.appspot.com/bug?extid=7da6c19dc528c2ebc612 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/b5a4faec7a99/disk-3efc5736.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/971adf9a5295/vmlinux-3efc5736.xz kernel image: https://storage.googleapis.com/syzbot-assets/49516da34e16/bzImage-3efc5736.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7da6c19dc528c2ebc612 at syzkaller.appspotmail.com INFO: task kworker/u8:3:52 blocked for more than 143 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:3 state:D stack:20048 pid:52 tgid:52 ppid:2 flags:0x00004000 Workqueue: netns cleanup_net Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 wg_destruct+0x25/0x2e0 drivers/net/wireguard/device.c:246 netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10805 default_device_exit_batch+0xa24/0xaa0 net/core/dev.c:11945 ops_exit_list net/core/net_namespace.c:178 [inline] cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:626 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task dhcpcd:4897 blocked for more than 144 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:dhcpcd state:D stack:23632 pid:4897 tgid:4897 ppid:1 flags:0x00000002 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 nl80211_pre_doit+0x5f/0x8b0 net/wireless/nl80211.c:16580 genl_family_rcv_msg_doit net/netlink/genetlink.c:1110 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xaaa/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2602 ___sys_sendmsg net/socket.c:2656 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2685 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcb51a89a4b RSP: 002b:00007ffd30a99618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcb51a89a4b RDX: 0000000000000000 RSI: 00007ffd30a99660 RDI: 0000000000000010 RBP: 00007ffd30aadb28 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ffd30aadd70 R11: 0000000000000246 R12: 0000000000000010 R13: 00007ffd30a9d6c0 R14: 0000000000000000 R15: 000055706c260780 INFO: task kworker/u8:12:5817 blocked for more than 145 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:12 state:D stack:20048 pid:5817 tgid:5817 ppid:2 flags:0x00004000 Workqueue: cfg80211 cfg80211_dfs_channels_update_work Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 cfg80211_dfs_channels_update_work+0xbf/0x610 net/wireless/mlme.c:1021 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task kworker/u8:13:5818 blocked for more than 145 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:13 state:D stack:20496 pid:5818 tgid:5818 ppid:2 flags:0x00004000 Workqueue: events_unbound linkwatch_event Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 linkwatch_event+0xe/0x60 net/core/link_watch.c:276 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task syz-executor:11463 blocked for more than 145 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:21728 pid:11463 tgid:11463 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 rtnl_lock net/core/rtnetlink.c:79 [inline] rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 __sys_sendto+0x39b/0x4f0 net/socket.c:2209 __do_sys_sendto net/socket.c:2221 [inline] __se_sys_sendto net/socket.c:2217 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2217 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7a4d17fe8c RSP: 002b:00007f7a4d45f6b0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f7a4de64620 RCX: 00007f7a4d17fe8c RDX: 000000000000003c RSI: 00007f7a4de64670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007f7a4d45f704 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f7a4de64670 R15: 0000000000000000 INFO: task syz.2.1136:11518 blocked for more than 146 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.1136 state:D stack:23520 pid:11518 tgid:11512 ppid:10259 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 get_signal+0x16a3/0x1740 kernel/signal.c:2917 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6d0817dff9 RSP: 002b:00007f6d08fea038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: 0000000000000000 RBX: 00007f6d08336058 RCX: 00007f6d0817dff9 RDX: 0000000020000040 RSI: 0000000000008983 RDI: 000000000000000b RBP: 00007f6d081f0296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f6d08336058 R15: 00007f6d0845fa28 INFO: task syz.4.1142:11533 blocked for more than 147 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.1142 state:D stack:22320 pid:11533 tgid:11532 ppid:10623 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 tun_detach drivers/net/tun.c:698 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 get_signal+0x16a3/0x1740 kernel/signal.c:2917 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbf3577dff9 RSP: 002b:00007fbf3659a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: 0000000000000024 RBX: 00007fbf35935f80 RCX: 00007fbf3577dff9 RDX: 0000000000000024 RSI: 0000000020000000 RDI: 0000000000000009 RBP: 00007fbf357f0296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fbf35935f80 R15: 00007fbf35a5fa28 INFO: task syz-executor:11545 blocked for more than 147 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26464 pid:11545 tgid:11545 ppid:1 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 ip_tunnel_init_net+0x20e/0x720 net/ipv4/ip_tunnel.c:1159 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a6637f7f7 RSP: 002b:00007f2a6665ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f2a663f1a85 RCX: 00007f2a6637f7f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007f2a67067d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:11548 blocked for more than 148 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:26016 pid:11548 tgid:11548 ppid:1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 __tun_chr_ioctl+0x48c/0x2400 drivers/net/tun.c:3121 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff6c897dbfb RSP: 002b:00007ff6c8c5fe90 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ff6c89f1a85 RCX: 00007ff6c897dbfb RDX: 00007ff6c8c5ff10 RSI: 00000000400454ca RDI: 00000000000000c8 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:11554 blocked for more than 148 seconds. Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:24784 pid:11554 tgid:11554 ppid:1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5315 [inline] __schedule+0x1895/0x4b30 kernel/sched/core.c:6675 __schedule_loop kernel/sched/core.c:6752 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6767 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ops_init+0x31e/0x590 net/core/net_namespace.c:139 setup_net+0x287/0x9e0 net/core/net_namespace.c:356 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x619/0xc10 kernel/fork.c:3315 __do_sys_unshare kernel/fork.c:3386 [inline] __se_sys_unshare kernel/fork.c:3384 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3384 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb620b7f7f7 RSP: 002b:00007fb620e5ffa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007fb620bf1a85 RCX: 00007fb620b7f7f7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 0000000000000000 R08: 00007fb621867d60 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000000c R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000000 Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings Showing all locks held in the system: 1 lock held by khungtaskd/30: #0: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6701 2 locks held by kworker/u8:2/35: #0: ffff8880b863ea98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:593 #1: ffff8880b8628948 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x441/0x770 kernel/sched/psi.c:989 4 locks held by kworker/1:1/51: 4 locks held by kworker/u8:3/52: #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc90000bd7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc90000bd7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:580 #3: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: wg_destruct+0x25/0x2e0 drivers/net/wireguard/device.c:246 2 locks held by dhcpcd/4897: #0: ffffffff8fd37230 (cb_lock){++++}-{3:3}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x5f/0x8b0 net/wireless/nl80211.c:16580 2 locks held by getty/4986: #0: ffff888031b7a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211 3 locks held by kworker/1:5/5283: 3 locks held by kworker/u8:8/5692: #0: ffff88814c309148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88814c309148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc9000cf87d00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc9000cf87d00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4736 3 locks held by kworker/u8:12/5817: #0: ffff8881462a8948 ((wq_completion)cfg80211){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff8881462a8948 ((wq_completion)cfg80211){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc9000343fd00 ((work_completion)(&(&rdev->dfs_update_channels_wk)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc9000343fd00 ((work_completion)(&(&rdev->dfs_update_channels_wk)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: cfg80211_dfs_channels_update_work+0xbf/0x610 net/wireless/mlme.c:1021 3 locks held by kworker/u8:13/5818: #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline] #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310 #1: ffffc9000342fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline] #1: ffffc9000342fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310 #2: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276 1 lock held by syz-executor/11463: #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643 1 lock held by syz.2.1136/11518: #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 1 lock held by syz.4.1142/11533: #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline] #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3517 2 locks held by syz-executor/11540: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: setup_net+0x602/0x9e0 net/core/net_namespace.c:378 2 locks held by syz-executor/11542: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: setup_net+0x602/0x9e0 net/core/net_namespace.c:378 2 locks held by syz-executor/11545: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x20e/0x720 net/ipv4/ip_tunnel.c:1159 1 lock held by syz-executor/11548: #0: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl+0x48c/0x2400 drivers/net/tun.c:3121 2 locks held by syz-executor/11554: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11558: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11564: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11566: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11569: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11574: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11581: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11586: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11588: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11595: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11600: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11605: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11611: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11613: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 2 locks held by syz-executor/11616: #0: ffffffff8fcc49d0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490 #1: ffffffff8fcd14c8 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3885 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xff4/0x1040 kernel/hung_task.c:379 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient neigh_periodic_work RIP: 0010:__lock_acquire+0xe9b/0x2050 Code: 81 e3 00 60 00 00 09 c3 4c 89 f0 48 c1 e8 20 29 c3 89 c1 c1 c1 04 31 d9 44 01 f0 41 29 ce 89 ca c1 c2 06 44 31 f2 01 c1 29 d0 <89> d6 c1 c6 08 31 c6 01 ca 29 f1 89 f3 c1 c3 10 31 cb 01 d6 29 da RSP: 0018:ffffc90000a17430 EFLAGS: 00000087 RAX: 00000000e98ab003 RBX: 000000006b5f6680 RCX: 000000003db26586 RDX: 0000000032d4b8da RSI: 0000000000000008 RDI: dffffc0000000000 RBP: ffff888020eac780 R08: ffffffff942757c7 R09: 1ffffffff284eaf8 R10: dffffc0000000000 R11: fffffbfff284eaf9 R12: 0000000000000000 R13: ffff888020eac6d8 R14: 00000000666b9292 R15: ffff888020eac7a0 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001000 CR3: 000000000e734000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000004000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5822 rcu_lock_acquire include/linux/rcupdate.h:337 [inline] rcu_read_lock include/linux/rcupdate.h:849 [inline] __skb_flow_dissect+0x50e/0x7d00 net/core/flow_dissector.c:1125 __xfrm_decode_session+0xc2/0xf70 net/xfrm/xfrm_policy.c:3461 xfrm_decode_session include/net/xfrm.h:1258 [inline] ip_route_me_harder+0xa5c/0x1300 net/ipv4/netfilter.c:66 synproxy_send_tcp+0x356/0x6c0 net/netfilter/nf_synproxy_core.c:431 synproxy_send_client_synack+0x8b8/0xf30 net/netfilter/nf_synproxy_core.c:484 nft_synproxy_eval_v4+0x3ca/0x610 net/netfilter/nft_synproxy.c:59 nft_synproxy_do_eval+0x362/0xa60 net/netfilter/nft_synproxy.c:141 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 neigh_periodic_work+0xb35/0xd50 net/core/neighbour.c:1019 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+8aaf2df2ef0164ffe1fb at syzkaller.appspotmail.com Mon Sep 30 23:39:31 2024 From: syzbot+8aaf2df2ef0164ffe1fb at syzkaller.appspotmail.com (syzbot) Date: Mon, 30 Sep 2024 23:39:31 -0000 Subject: [syzbot] [kernel] WARNING: locking bug in try_to_wake_up In-Reply-To: <000000000000516ace0618827799@google.com> Message-ID: <66fb36b1.050a0220.aab67.003b.GAE@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: 9852d85ec9d4 Linux 6.12-rc1 git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=16c0ddd0580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1f009dd80b3799c2 dashboard link: https://syzkaller.appspot.com/bug?extid=8aaf2df2ef0164ffe1fb compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12017d07980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ad839f980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/3a7fe74d3205/disk-9852d85e.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/0332f06aa08e/vmlinux-9852d85e.xz kernel image: https://storage.googleapis.com/syzbot-assets/58ddf291e00e/bzImage-9852d85e.xz mounted in repro #1: https://storage.googleapis.com/syzbot-assets/7b9a21b4b8c9/mount_0.gz mounted in repro #2: https://storage.googleapis.com/syzbot-assets/e0b9c39ab630/mount_2.gz mounted in repro #3: https://storage.googleapis.com/syzbot-assets/6d11f8e19e12/mount_10.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8aaf2df2ef0164ffe1fb at syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2343 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x1a2/0x420 mm/slub.c:4682 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:228 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1037 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 __call_rcu_common kernel/rcu/tree.c:3086 [inline] call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190 context_switch kernel/sched/core.c:5318 [inline] __schedule+0x184b/0x4ae0 kernel/sched/core.c:6675 schedule_idle+0x56/0x90 kernel/sched/core.c:6793 do_idle+0x56a/0x5d0 kernel/sched/idle.c:354 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424 start_secondary+0x102/0x110 arch/x86/kernel/smpboot.c:314 common_startup_64+0x13e/0x147 The buggy address belongs to the object at ffff8880272a8000 which belongs to the cache task_struct of size 7424 The buggy address is located 2584 bytes inside of freed 7424-byte region [ffff8880272a8000, ffff8880272a9d00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x272a8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000 head: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea00009caa01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71247381401, free_ts 71214998153 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 alloc_slab_page+0x6a/0x120 mm/slub.c:2413 allocate_slab+0x5a/0x2f0 mm/slub.c:2579 new_slab mm/slub.c:2632 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819 __slab_alloc+0x58/0xa0 mm/slub.c:3909 __slab_alloc_node mm/slub.c:3962 [inline] slab_alloc_node mm/slub.c:4123 [inline] kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 page last free pid 5230 tgid 5230 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638 discard_slab mm/slub.c:2678 [inline] __put_partials+0xeb/0x130 mm/slub.c:3146 put_cpu_partial+0x17c/0x250 mm/slub.c:3221 __slab_free+0x2ea/0x3d0 mm/slub.c:4450 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142 getname_flags+0xb7/0x540 fs/namei.c:139 do_sys_openat2+0xd2/0x1d0 fs/open.c:1409 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x247/0x2a0 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8880272a8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880272a8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880272a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880272a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880272a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. From ccoager at gmail.com Sun Sep 22 17:33:37 2024 From: ccoager at gmail.com (Cory Coager) Date: Sun, 22 Sep 2024 17:33:37 -0000 Subject: wireguard-tools bug on Android with work profile Message-ID: If you have WireGuard installed in the work profile of Android, the excluded/included apps are not routing properly. Looking at the source code, wg-quick is reading the apps and uids from /data/system/packages.list which only has the correct uids for the Owner profile. As such, iptables has the wrong uidrange for the apps list and the apps do not work with WireGuard in the work profile. From ignat at cloudflare.com Mon Sep 23 18:23:27 2024 From: ignat at cloudflare.com (Ignat Korchagin) Date: Mon, 23 Sep 2024 18:23:27 -0000 Subject: wireguard/napi stuck in napi_disable Message-ID: Hello, We run calico on our Kubernetes cluster, which uses Wireguard to encrypt in-cluster traffic [1]. Recently we tried to improve the throughput of the cluster and eliminate some packet drops we?re seeing by switching on threaded NAPI [2] on these managed Wireguard interfaces. However, our Kubernetes hosts started to lock up once in a while. Analyzing one stuck host with drgn we were able to confirm that the code is just waiting in this loop [3] for the NAPI_STATE_SCHED bit to be cleared for the Wireguard peer napi instance, but that never happens for some reason. For context the full state of the stuck napi instance is 0b100110111. What makes things worse - this happens when calico removes a Wireguard peer, which happens while holding the global rtnl_mutex, so all the other tasks requiring that mutex get stuck as well. Full stacktrace of the ?looping? task: #0 context_switch (linux/kernel/sched/core.c:5380:2) #1 __schedule (linux/kernel/sched/core.c:6698:8) #2 schedule (linux/kernel/sched/core.c:6772:3) #3 schedule_hrtimeout_range_clock (linux/kernel/time/hrtimer.c:2311:3) #4 usleep_range_state (linux/kernel/time/timer.c:2363:8) #5 usleep_range (linux/include/linux/delay.h:68:2) #6 napi_disable (linux/net/core/dev.c:6477:4) #7 peer_remove_after_dead (linux/drivers/net/wireguard/peer.c:120:2) #8 set_peer (linux/drivers/net/wireguard/netlink.c:425:3) #9 wg_set_device (linux/drivers/net/wireguard/netlink.c:592:10) #10 genl_family_rcv_msg_doit (linux/net/netlink/genetlink.c:971:8) #11 genl_family_rcv_msg (linux/net/netlink/genetlink.c:1051:10) #12 genl_rcv_msg (linux/net/netlink/genetlink.c:1066:8) #13 netlink_rcv_skb (linux/net/netlink/af_netlink.c:2545:9) #14 genl_rcv (linux/net/netlink/genetlink.c:1075:2) #15 netlink_unicast_kernel (linux/net/netlink/af_netlink.c:1342:3) #16 netlink_unicast (linux/net/netlink/af_netlink.c:1368:10) #17 netlink_sendmsg (linux/net/netlink/af_netlink.c:1910:8) #18 sock_sendmsg_nosec (linux/net/socket.c:730:12) #19 __sock_sendmsg (linux/net/socket.c:745:16) #20 ____sys_sendmsg (linux/net/socket.c:2560:8) #21 ___sys_sendmsg (linux/net/socket.c:2614:8) #22 __sys_sendmsg (linux/net/socket.c:2643:8) #23 do_syscall_x64 (linux/arch/x86/entry/common.c:51:14) #24 do_syscall_64 (linux/arch/x86/entry/common.c:81:7) #25 entry_SYSCALL_64+0x9c/0x184 (linux/arch/x86/entry/entry_64.S:121) We have also noticed that a similar issue is observed, when we switch Wireguard threaded NAPI back to off: removing a Wireguard peer task may still spend a considerable amount of time in the above loop (and hold rtnl_mutex), however the host eventually recovers from this state. So the questions are: 1. Any ideas why NAPI_STATE_SCHED bit never gets cleared for the threaded NAPI case in Wireguard? 2. Is it generally a good idea for Wireguard to loop for an indeterminate amount of time, while holding the rtnl_mutex? Or can it be refactored? We have observed the problem on Linux 6.6.47 and 6.6.48. We did try to downgrade the kernel a couple of patch revisions, but it did not help and our logs indicate that at least the non-threaded prolonged holding of the rtnl_mutex is happening for a while now. [1]: https://docs.tigera.io/calico/latest/network-policy/encrypt-cluster-pod-traffic [2]: https://docs.kernel.org/networking/napi.html#threaded [3]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/core/dev.c?h=v6.6.48#n6476 From ignat at cloudflare.com Mon Sep 23 21:33:29 2024 From: ignat at cloudflare.com (Ignat Korchagin) Date: Mon, 23 Sep 2024 21:33:29 -0000 Subject: wireguard/napi stuck in napi_disable In-Reply-To: References: Message-ID: On Mon, Sep 23, 2024 at 7:23?PM Ignat Korchagin wrote: > > Hello, > > We run calico on our Kubernetes cluster, which uses Wireguard to > encrypt in-cluster traffic [1]. Recently we tried to improve the > throughput of the cluster and eliminate some packet drops we?re seeing > by switching on threaded NAPI [2] on these managed Wireguard > interfaces. However, our Kubernetes hosts started to lock up once in a > while. > > Analyzing one stuck host with drgn we were able to confirm that the > code is just waiting in this loop [3] for the NAPI_STATE_SCHED bit to > be cleared for the Wireguard peer napi instance, but that never > happens for some reason. For context the full state of the stuck napi > instance is 0b100110111. What makes things worse - this happens when > calico removes a Wireguard peer, which happens while holding the > global rtnl_mutex, so all the other tasks requiring that mutex get > stuck as well. > > Full stacktrace of the ?looping? task: > > #0 context_switch (linux/kernel/sched/core.c:5380:2) > #1 __schedule (linux/kernel/sched/core.c:6698:8) > #2 schedule (linux/kernel/sched/core.c:6772:3) > #3 schedule_hrtimeout_range_clock (linux/kernel/time/hrtimer.c:2311:3) > #4 usleep_range_state (linux/kernel/time/timer.c:2363:8) > #5 usleep_range (linux/include/linux/delay.h:68:2) > #6 napi_disable (linux/net/core/dev.c:6477:4) > #7 peer_remove_after_dead (linux/drivers/net/wireguard/peer.c:120:2) > #8 set_peer (linux/drivers/net/wireguard/netlink.c:425:3) > #9 wg_set_device (linux/drivers/net/wireguard/netlink.c:592:10) > #10 genl_family_rcv_msg_doit (linux/net/netlink/genetlink.c:971:8) > #11 genl_family_rcv_msg (linux/net/netlink/genetlink.c:1051:10) > #12 genl_rcv_msg (linux/net/netlink/genetlink.c:1066:8) > #13 netlink_rcv_skb (linux/net/netlink/af_netlink.c:2545:9) > #14 genl_rcv (linux/net/netlink/genetlink.c:1075:2) > #15 netlink_unicast_kernel (linux/net/netlink/af_netlink.c:1342:3) > #16 netlink_unicast (linux/net/netlink/af_netlink.c:1368:10) > #17 netlink_sendmsg (linux/net/netlink/af_netlink.c:1910:8) > #18 sock_sendmsg_nosec (linux/net/socket.c:730:12) > #19 __sock_sendmsg (linux/net/socket.c:745:16) > #20 ____sys_sendmsg (linux/net/socket.c:2560:8) > #21 ___sys_sendmsg (linux/net/socket.c:2614:8) > #22 __sys_sendmsg (linux/net/socket.c:2643:8) > #23 do_syscall_x64 (linux/arch/x86/entry/common.c:51:14) > #24 do_syscall_64 (linux/arch/x86/entry/common.c:81:7) > #25 entry_SYSCALL_64+0x9c/0x184 (linux/arch/x86/entry/entry_64.S:121) > > We have also noticed that a similar issue is observed, when we switch > Wireguard threaded NAPI back to off: removing a Wireguard peer task > may still spend a considerable amount of time in the above loop (and > hold rtnl_mutex), however the host eventually recovers from this > state. > > So the questions are: > 1. Any ideas why NAPI_STATE_SCHED bit never gets cleared for the > threaded NAPI case in Wireguard? > 2. Is it generally a good idea for Wireguard to loop for an > indeterminate amount of time, while holding the rtnl_mutex? Or can it > be refactored? I've been also trying to reproduce this issue with a script [1]. While I could not reproduce the complete lockup I've been able to confirm that peer_remove_after_dead() may take multiple seconds to execute - all while holding the rtnl_mutex. Below is bcc-tools funclatency output from a freshly compiled mainline (6.11): # /usr/share/bcc/tools/funclatency peer_remove_after_dead Tracing 1 functions for "peer_remove_after_dead"... Hit Ctrl-C to end. ^C nsecs : count distribution 0 -> 1 : 0 | | 2 -> 3 : 0 | | 4 -> 7 : 0 | | 8 -> 15 : 0 | | 16 -> 31 : 0 | | 32 -> 63 : 0 | | 64 -> 127 : 0 | | 128 -> 255 : 0 | | 256 -> 511 : 0 | | 512 -> 1023 : 0 | | 1024 -> 2047 : 0 | | 2048 -> 4095 : 0 | | 4096 -> 8191 : 0 | | 8192 -> 16383 : 0 | | 16384 -> 32767 : 0 | | 32768 -> 65535 : 0 | | 65536 -> 131071 : 0 | | 131072 -> 262143 : 0 | | 262144 -> 524287 : 68 |** | 524288 -> 1048575 : 658 |********************| 1048576 -> 2097151 : 267 |******** | 2097152 -> 4194303 : 68 |** | 4194304 -> 8388607 : 124 |*** | 8388608 -> 16777215 : 182 |***** | 16777216 -> 33554431 : 72 |** | 33554432 -> 67108863 : 34 |* | 67108864 -> 134217727 : 22 | | 134217728 -> 268435455 : 11 | | 268435456 -> 536870911 : 2 | | 536870912 -> 1073741823 : 2 | | 1073741824 -> 2147483647 : 1 | | 2147483648 -> 4294967295 : 0 | | 4294967296 -> 8589934591 : 1 | | avg = 14251705 nsecs, total: 21548578415 nsecs, count: 1512 Detaching... So we have cases where it takes 2 or even 8 seconds to remove a single peer, which is definitely not great considering we're holding a global lock. > We have observed the problem on Linux 6.6.47 and 6.6.48. We did try to > downgrade the kernel a couple of patch revisions, but it did not help > and our logs indicate that at least the non-threaded prolonged holding > of the rtnl_mutex is happening for a while now. > > [1]: https://docs.tigera.io/calico/latest/network-policy/encrypt-cluster-pod-traffic > [2]: https://docs.kernel.org/networking/napi.html#threaded > [3]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/core/dev.c?h=v6.6.48#n6476 Ignat [1]: https://gist.githubusercontent.com/ignatk/4505d96e02815de3aa5649c4aa7c3fca/raw/177e4eab9f491024db6488cd0ea1cbba2d5579b4/wg.sh From dqminh at cloudflare.com Wed Sep 25 15:06:37 2024 From: dqminh at cloudflare.com (Daniel Dao) Date: Wed, 25 Sep 2024 15:06:37 -0000 Subject: wireguard/napi stuck in napi_disable In-Reply-To: References: Message-ID: On Mon, Sep 23, 2024 at 10:33?PM Ignat Korchagin wrote: > > On Mon, Sep 23, 2024 at 7:23?PM Ignat Korchagin wrote: > > > > Hello, > > > > We run calico on our Kubernetes cluster, which uses Wireguard to > > encrypt in-cluster traffic [1]. Recently we tried to improve the > > throughput of the cluster and eliminate some packet drops we?re seeing > > by switching on threaded NAPI [2] on these managed Wireguard > > interfaces. However, our Kubernetes hosts started to lock up once in a > > while. > > > > Analyzing one stuck host with drgn we were able to confirm that the > > code is just waiting in this loop [3] for the NAPI_STATE_SCHED bit to > > be cleared for the Wireguard peer napi instance, but that never > > happens for some reason. For context the full state of the stuck napi > > instance is 0b100110111. What makes things worse - this happens when > > calico removes a Wireguard peer, which happens while holding the > > global rtnl_mutex, so all the other tasks requiring that mutex get > > stuck as well. > > > > Full stacktrace of the ?looping? task: > > > > #0 context_switch (linux/kernel/sched/core.c:5380:2) > > #1 __schedule (linux/kernel/sched/core.c:6698:8) > > #2 schedule (linux/kernel/sched/core.c:6772:3) > > #3 schedule_hrtimeout_range_clock (linux/kernel/time/hrtimer.c:2311:3) > > #4 usleep_range_state (linux/kernel/time/timer.c:2363:8) > > #5 usleep_range (linux/include/linux/delay.h:68:2) > > #6 napi_disable (linux/net/core/dev.c:6477:4) > > #7 peer_remove_after_dead (linux/drivers/net/wireguard/peer.c:120:2) > > #8 set_peer (linux/drivers/net/wireguard/netlink.c:425:3) > > #9 wg_set_device (linux/drivers/net/wireguard/netlink.c:592:10) > > #10 genl_family_rcv_msg_doit (linux/net/netlink/genetlink.c:971:8) > > #11 genl_family_rcv_msg (linux/net/netlink/genetlink.c:1051:10) > > #12 genl_rcv_msg (linux/net/netlink/genetlink.c:1066:8) > > #13 netlink_rcv_skb (linux/net/netlink/af_netlink.c:2545:9) > > #14 genl_rcv (linux/net/netlink/genetlink.c:1075:2) > > #15 netlink_unicast_kernel (linux/net/netlink/af_netlink.c:1342:3) > > #16 netlink_unicast (linux/net/netlink/af_netlink.c:1368:10) > > #17 netlink_sendmsg (linux/net/netlink/af_netlink.c:1910:8) > > #18 sock_sendmsg_nosec (linux/net/socket.c:730:12) > > #19 __sock_sendmsg (linux/net/socket.c:745:16) > > #20 ____sys_sendmsg (linux/net/socket.c:2560:8) > > #21 ___sys_sendmsg (linux/net/socket.c:2614:8) > > #22 __sys_sendmsg (linux/net/socket.c:2643:8) > > #23 do_syscall_x64 (linux/arch/x86/entry/common.c:51:14) > > #24 do_syscall_64 (linux/arch/x86/entry/common.c:81:7) > > #25 entry_SYSCALL_64+0x9c/0x184 (linux/arch/x86/entry/entry_64.S:121) > > Looking at this further to understand why the napi state would be 0b100110111 which decoded to: SCHED | MISSED | DISABLE | LISTED | NO_BUSY_POLL | THREADED, I think this is a problem with MISSED wakeup in napi threaded mode. napi_complete_done calls __napi_schedule when state has `NAPIF_STATE_MISSED`, but in 6.6, it does not set NAPI_STATE_SCHED_THREADED when the napi thread is running, and since the thread is running, wakeup does not do anything. Therefore we missed the chance to do another poll, and if we race with napi_disable then the state will be SCHED | MISSED | DISABLE, and we stuck. However it looks like the following commit resolves that situation for us commit 56364c910691f6d10ba88c964c9041b9ab777bd6 Author: Sebastian Andrzej Siewior Date: Mon Mar 25 08:40:28 2024 +0100 net: Remove conditional threaded-NAPI wakeup based on task state. As long as we always set SCHED_THREADED, the next loop in napi thread will do the right thing and clear SCHED, letting napi_disable complete. We are testing 6.6 with this patch, and haven't seen any similar lockups so far. > > We have also noticed that a similar issue is observed, when we switch > > Wireguard threaded NAPI back to off: removing a Wireguard peer task > > may still spend a considerable amount of time in the above loop (and > > hold rtnl_mutex), however the host eventually recovers from this > > state. However, these lockups become much more prominent now. Here is the stack trace of peer_remove_after_dead #0 context_switch (/cfsetup_build/build/linux/kernel/sched/core.c:5380:2) #1 __schedule (/cfsetup_build/build/linux/kernel/sched/core.c:6699:8) #2 schedule (/cfsetup_build/build/linux/kernel/sched/core.c:6773:3) #3 schedule_timeout (/cfsetup_build/build/linux/kernel/time/timer.c:2143:3) #4 do_wait_for_common (/cfsetup_build/build/linux/kernel/sched/completion.c:95:14) #5 __wait_for_common (/cfsetup_build/build/linux/kernel/sched/completion.c:116:12) #6 wait_for_common (/cfsetup_build/build/linux/kernel/sched/completion.c:127:9) #7 wait_for_completion (/cfsetup_build/build/linux/kernel/sched/completion.c:148:2) #8 __flush_workqueue (/cfsetup_build/build/linux/kernel/workqueue.c:3196:2) #9 peer_remove_after_dead (/cfsetup_build/build/linux/drivers/net/wireguard/peer.c:116:2) #10 set_peer (/cfsetup_build/build/linux/drivers/net/wireguard/netlink.c:425:3) #11 wg_set_device (/cfsetup_build/build/linux/drivers/net/wireguard/netlink.c:592:10) #12 genl_family_rcv_msg_doit (/cfsetup_build/build/linux/net/netlink/genetlink.c:971:8) #13 genl_family_rcv_msg (/cfsetup_build/build/linux/net/netlink/genetlink.c:1051:10) #14 genl_rcv_msg (/cfsetup_build/build/linux/net/netlink/genetlink.c:1066:8) #15 netlink_rcv_skb (/cfsetup_build/build/linux/net/netlink/af_netlink.c:2544:9) #16 genl_rcv (/cfsetup_build/build/linux/net/netlink/genetlink.c:1075:2) #17 netlink_unicast_kernel (/cfsetup_build/build/linux/net/netlink/af_netlink.c:1342:3) #18 netlink_unicast (/cfsetup_build/build/linux/net/netlink/af_netlink.c:1368:10) #19 netlink_sendmsg (/cfsetup_build/build/linux/net/netlink/af_netlink.c:1910:8) #20 sock_sendmsg_nosec (/cfsetup_build/build/linux/net/socket.c:730:12) #21 __sock_sendmsg (/cfsetup_build/build/linux/net/socket.c:745:16) #22 ____sys_sendmsg (/cfsetup_build/build/linux/net/socket.c:2590:8) #23 ___sys_sendmsg (/cfsetup_build/build/linux/net/socket.c:2644:8) #24 __sys_sendmsg (/cfsetup_build/build/linux/net/socket.c:2673:8) #25 do_syscall_x64 (/cfsetup_build/build/linux/arch/x86/entry/common.c:51:14) #26 do_syscall_64 (/cfsetup_build/build/linux/arch/x86/entry/common.c:81:7) #27 entry_SYSCALL_64+0x9c/0x184 (/cfsetup_build/build/linux/arch/x86/entry/entry_64.S:121) #28 0x41262e drgn shows that we are waiting to for completion of work for wg_packet_tx_worker, which is destined for a completely different peer than the peer we want to remove. *(struct worker *)0xffff888107f640c0 = { .entry = (struct list_head){ .next = (struct list_head *)0x0, .prev = (struct list_head *)0xffff8897e0cb1f50, }, .hentry = (struct hlist_node){ .next = (struct hlist_node *)0x0, .pprev = (struct hlist_node **)0xffff8897e0cb1f50, }, .current_work = (struct work_struct *)0xffff8881a32638d0, .current_func = (work_func_t)wg_packet_tx_worker+0x0 = 0xffffffffc0f6ca40, .current_pwq = (struct pool_workqueue *)0xffff88812bca6400, .current_at = (u64)3491257913, .current_color = (unsigned int)4, .sleeping = (int)0, .last_func = (work_func_t)wg_packet_tx_worker+0x0 = 0xffffffffc0f6ca40, .scheduled = (struct list_head){ .next = (struct list_head *)0xffff8881a32638d8, .prev = (struct list_head *)0xffff8881a32638d8, }, .task = (struct task_struct *)0xffff888472a08000, .pool = (struct worker_pool *)0xffff8897e0cb1cc0, .node = (struct list_head){ .next = (struct list_head *)0xffff888107f64360, .prev = (struct list_head *)0xffff888107f645a0, }, .last_active = (unsigned long)4409382646, .flags = (unsigned int)64, .id = (int)1, .desc = (char [32])"wg-crypt-wireguard.cali", .rescue_wq = (struct workqueue_struct *)0x0, } This can take a very long time especially if the peers produce/receive as fast as it can, as in our test setup. We setup some metrics with bpftrace to measure the duration of peer_remove_after_dead and wg_packet_tx_worker and got the following measurements after a long wait time. @duration_ms[peer_remove_after_dead]: [512K, 1M) 1 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| @duration_ms[wg_packet_tx_worker]: [0] 744612 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [1] 20 | | [2, 4) 2 | | [4, 8) 2 | | [16, 32) 2 | | [256K, 512K) 1 | | [2M, 4M) 1 | | We can see that peer_remove_after_dead took between 512s to 1000s to complete, while wg_packet_tx_worker can take up to [2000s, 4000s) to complete, which is an awfully long time. Daniel > > > > So the questions are: > > 1. Any ideas why NAPI_STATE_SCHED bit never gets cleared for the > > threaded NAPI case in Wireguard? > > 2. Is it generally a good idea for Wireguard to loop for an > > indeterminate amount of time, while holding the rtnl_mutex? Or can it > > be refactored? > > I've been also trying to reproduce this issue with a script [1]. While > I could not reproduce the complete lockup I've been able to confirm > that peer_remove_after_dead() may take multiple seconds to execute - > all while holding the rtnl_mutex. Below is bcc-tools funclatency > output from a freshly compiled mainline (6.11): > > # /usr/share/bcc/tools/funclatency peer_remove_after_dead > Tracing 1 functions for "peer_remove_after_dead"... Hit Ctrl-C to end. > ^C > nsecs : count distribution > 0 -> 1 : 0 | | > 2 -> 3 : 0 | | > 4 -> 7 : 0 | | > 8 -> 15 : 0 | | > 16 -> 31 : 0 | | > 32 -> 63 : 0 | | > 64 -> 127 : 0 | | > 128 -> 255 : 0 | | > 256 -> 511 : 0 | | > 512 -> 1023 : 0 | | > 1024 -> 2047 : 0 | | > 2048 -> 4095 : 0 | | > 4096 -> 8191 : 0 | | > 8192 -> 16383 : 0 | | > 16384 -> 32767 : 0 | | > 32768 -> 65535 : 0 | | > 65536 -> 131071 : 0 | | > 131072 -> 262143 : 0 | | > 262144 -> 524287 : 68 |** | > 524288 -> 1048575 : 658 |********************| > 1048576 -> 2097151 : 267 |******** | > 2097152 -> 4194303 : 68 |** | > 4194304 -> 8388607 : 124 |*** | > 8388608 -> 16777215 : 182 |***** | > 16777216 -> 33554431 : 72 |** | > 33554432 -> 67108863 : 34 |* | > 67108864 -> 134217727 : 22 | | > 134217728 -> 268435455 : 11 | | > 268435456 -> 536870911 : 2 | | > 536870912 -> 1073741823 : 2 | | > 1073741824 -> 2147483647 : 1 | | > 2147483648 -> 4294967295 : 0 | | > 4294967296 -> 8589934591 : 1 | | > > avg = 14251705 nsecs, total: 21548578415 nsecs, count: 1512 > > Detaching... > > So we have cases where it takes 2 or even 8 seconds to remove a single > peer, which is definitely not great considering we're holding a global > lock. > > > We have observed the problem on Linux 6.6.47 and 6.6.48. We did try to > > downgrade the kernel a couple of patch revisions, but it did not help > > and our logs indicate that at least the non-threaded prolonged holding > > of the rtnl_mutex is happening for a while now. > > > > [1]: https://docs.tigera.io/calico/latest/network-policy/encrypt-cluster-pod-traffic > > [2]: https://docs.kernel.org/networking/napi.html#threaded > > [3]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/core/dev.c?h=v6.6.48#n6476 > > Ignat > > [1]: https://gist.githubusercontent.com/ignatk/4505d96e02815de3aa5649c4aa7c3fca/raw/177e4eab9f491024db6488cd0ea1cbba2d5579b4/wg.sh From mirco.barone.3 at gmail.com Tue Sep 10 06:34:06 2024 From: mirco.barone.3 at gmail.com (Mirco Barone) Date: Tue, 10 Sep 2024 06:34:06 -0000 Subject: [PATCH] Enabling Threaded NAPI by Default Message-ID: Hi everyone, While testing Wireguard with a large number of tunnels, we noticed a bottleneck caused by the superimposition of multiple NAPI functions on the same CPU core, hence preventing the system to scale effectively. More details are described in this paper on page 3: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf Since each peer has its own NAPI struct, the problem can potentially occur when many peers are created on the same machine. The simple solution we found is to enable threaded NAPI, which improves considerably the throughput in our testing conditions while, at the same time, showing no drawbacks in case of traditional deployment scenarios (i.e., single tunnel). Hence, we feel we could slightly modify the code and move to threaded NAPI as the new default. Any comment? The option to revert to NAPI handled by a softirq is still preserved, by simply changing the `/sys/class/net//threaded` flag. diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c old mode 100644 new mode 100755 index 3feb36ee5bfb..60554b7c405a --- a/drivers/net/wireguard/device.c +++ b/drivers/net/wireguard/device.c @@ -363,6 +363,8 @@ static int wg_newlink(struct net *src_net, struct net_device *dev, ret = wg_ratelimiter_init(); if (ret < 0) goto err_free_handshake_queue; + + dev_set_threaded(dev,true); ret = register_netdevice(dev); if (ret < 0) Kind regards Privo di virus.www.avast.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>