# Reproducer (inside any QEMU VM running net-next with CONFIG_FAILSLAB=y,# CON

1. # Reproducer (inside any QEMU VM running net-next with CONFIG_FAILSLAB=y,
2. # CONFIG_FAULT_INJECTION_DEBUG_FS=y, and a netdev driver that implements
3. # ndo_set_rx_mode_async, e.g. netdevsim):
4. #
5. # echo 100 > /sys/kernel/debug/failslab/probability
6. # echo Y > /sys/kernel/debug/failslab/task-filter
7. # echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait
8. # echo 1 > /sys/kernel/slab/kmalloc-128/failslab
9. # (echo 1 > /proc/self/make-it-fail; exec ./trigger)
10. #
11. # where ./trigger creates a netdevsim device and issues SIOCADDMULTI on it.
12. # Without the patch the WARN at net/core/dev_addr_lists.c:1278 fires
13. # every run.
14. #
15. # The knob helps to mimic memory pressure scenario and reliably reproduce
16. # the WARN:
17. #
18. # probability=100
19. # Once an allocation in our task is selected for failure (by
20. # task-filter + cache-filter), fail it with 100% probability.
21. #
22. # task-filter=Y
23. # Restrict fault injection to processes tagged via
24. # /proc/<pid>/make-it-fail. Without this, every kmalloc-128 in the
25. # whole kernel fails, including ones inside kworker / softirq
26. # contexts that the system relies on to stay alive, and the VM
27. # falls over before the reproducer runs. With it, only our trigger
28. # process sees failures.
29. #
30. # ignore-gfp-wait=Y
31. # Skip allocations that may sleep (GFP_KERNEL, GFP_NOFS, ...). The
32. # target kmalloc inside __hw_addr_create() is GFP_ATOMIC because
33. # it runs under netif_addr_lock_bh(). Setting ignore-gfp-wait=Y
34. # confines failures to the GFP_ATOMIC class so we don't fail
35. # unrelated GFP_KERNEL allocations on the same setup path
36. # (sandbox unshare(), netlink ifup, etc.) and abort the trigger
37. # before it reaches the snapshot.
38. #
39. # /sys/kernel/slab/kmalloc-128/failslab=1 (paired with cache-filter=Y
40. # via /sys/kernel/debug/failslab/cache-filter, set automatically by
41. # syzkaller's standard fault setup or explicitly in setup scripts)
42. # sizeof(struct netdev_hw_addr) is ~104 bytes, which rounds up to
43. # the kmalloc-128 slab. Marking that one cache as failable (with
44. # cache-filter=Y telling failslab to honour per-cache opt-in)
45. # narrows fault injection to the exact slab the bug needs.
46. #
47. # echo 1 > /proc/self/make-it-fail (inside the trigger task only)
48. # Arms task-filter for this specific task. Must be done AFTER any
49. # setup that allocates kmalloc-128 (open(), bind(), write_file,
50. # socket(), etc.) and BEFORE the SIOCADDMULTI ioctl, so the fault
51. # lands inside netif_addr_lists_snapshot() and not in setup.
52. #
53. # {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
54. socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
55. ioctl$SIOCSIFHWADDR(r0, 0x8931, &(0x7f0000000000)={'netdevsim0\x00'}) (fail_nth: 3)
56.