WARNING in wiphy_register (3)
Hello, syzbot found the following crash on: HEAD commit:90cadbbf341d Merge git://git.kernel.org/pub/scm/linux/kern.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=17053c9b40 kernel config: https://syzkaller.appspot.com/x/.config?x=9d41c8529d7e7362 dashboard link: https://syzkaller.appspot.com/bug?extid=73fd8b0aa60c67fa4b60 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17211a5740 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+73fd8b0aa60c67fa4...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 netlink: 'syz-executor4': attribute type 23 has an invalid length. WARNING: CPU: 0 PID: 9553 at net/wireless/core.c:581 wiphy_verify_combinations net/wireless/core.c:581 [inline] WARNING: CPU: 0 PID: 9553 at net/wireless/core.c:581 wiphy_register+0x147e/0x28d0 net/wireless/core.c:784 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 9553 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #360 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113 panic+0x2ad/0x55c kernel/panic.c:188 __warn.cold.8+0x20/0x45 kernel/panic.c:540 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:wiphy_verify_combinations net/wireless/core.c:581 [inline] RIP: 0010:wiphy_register+0x147e/0x28d0 net/wireless/core.c:784 Code: f0 ff ff e8 74 30 2b fa 0f 0b bb ea ff ff ff e9 10 f0 ff ff e8 63 30 2b fa 0f 0b bb ea ff ff ff e9 ff ef ff ff e8 52 30 2b fa <0f> 0b bb ea ff ff ff e9 ee ef ff ff e8 41 30 2b fa 0f 0b bb ea ff kobject: 'loop1' (a0078c7e): kobject_uevent_env RSP: 0018:8881d798edb0 EFLAGS: 00010293 RAX: 8881cd55e040 RBX: 0001 RCX: 8753236b RDX: RSI: 8753292e RDI: 0001 RBP: 8881d798ef38 R08: 8881cd55e040 R09: ed103a4a0680 R10: ed103a4a0680 R11: 8881d2503405 R12: 002f R13: 88f0ba60 R14: 8881d2505e74 R15: kobject: 'loop1' (a0078c7e): fill_kobj_path: path = '/devices/virtual/block/loop1' ieee80211_register_hw+0x15cd/0x40e0 net/mac80211/main.c:1109 mac80211_hwsim_new_radio+0x2025/0x3630 drivers/net/wireless/mac80211_hwsim.c:2921 kobject: 'loop5' (3dbebf8f): kobject_uevent_env kobject: 'loop5' (3dbebf8f): fill_kobj_path: path = '/devices/virtual/block/loop5' hwsim_new_radio_nl+0xd3a/0x14b0 drivers/net/wireless/mac80211_hwsim.c:3469 genl_family_rcv_msg+0x8a7/0x11a0 net/netlink/genetlink.c:601 genl_rcv_msg+0xc6/0x168 net/netlink/genetlink.c:626 netlink_rcv_skb+0x16c/0x430 net/netlink/af_netlink.c:2477 genl_rcv+0x28/0x40 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x59f/0x750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:631 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2116 __sys_sendmsg+0x11d/0x280 net/socket.c:2154 __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg net/socket.c:2161 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457759 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f3a2a64fc78 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 00457759 RDX: RSI: 2080 RDI: 0003 RBP: 0073bf00 R08: R09: R10: R11: 0246 R12: 7f3a2a6506d4 R13: 004c49c9 R14: 004d80a0 R15: Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING in wiphy_register
On Mon, Jan 15, 2018 at 9:22 AM, Johannes Berg wrote: > Hi syzbot maintainers, > > Thanks for the report. > >> hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152 >> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599 >> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624 > > You're getting into the kernel via generic netlink receive, so just as > an FYI - the generic netlink numbers aren't stable across systems, so > your reproducer has a quite good chance of not working without your > kernel .config and (virt) hardware environment. Hi Johannes, Thanks for the feeback. syzbot tests within a net namespace (which is free of eth0 and other stuff) and does setup of devices in that namespace. For bugs, it first tries to reproduce them in that environment and if that succeeds it tries to simplify the reproducer by stripping namespace/device setup (which is quite verbose), and if that succeeds it provides this simplified reproducer. In this case it decided that namespace setup is not important. .config is still important, but it is provided. Are you able to reproduce the WARNING with the provided config? If not, we can look as to how to improve this. > I'll take a look at this and the rfkill one, I assume that there are > some sanity checks missing in hwsim generic netlink when it builds a > radio struct. > > However, I can't really promise that I'll be able to validate the > changes against your reproducer. > > johannes > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/1516004561.410.3.camel%40sipsolutions.net. > For more options, visit https://groups.google.com/d/optout.
Re: WARNING in wiphy_register
Hi syzbot maintainers, Thanks for the report. > hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152 > genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599 > genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624 You're getting into the kernel via generic netlink receive, so just as an FYI - the generic netlink numbers aren't stable across systems, so your reproducer has a quite good chance of not working without your kernel .config and (virt) hardware environment. I'll take a look at this and the rfkill one, I assume that there are some sanity checks missing in hwsim generic netlink when it builds a radio struct. However, I can't really promise that I'll be able to validate the changes against your reproducer. johannes
