Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[syzkaller] general protection fault in inet_csk_accept (called by mptcp_accept) #239

Closed
mjmartineau opened this issue Nov 1, 2021 · 4 comments
Closed

[syzkaller] general protection fault in inet_csk_accept (called by mptcp_accept) #239

mjmartineau opened this issue Nov 1, 2021 · 4 comments
Assignees
@pabeni
Labels
bug

Comments

@mjmartineau
Copy link
Member

Syzkaller (with CONFIG_PREEMPT in the target kernel) found the following. One occurrence, no reproducer, tag export/20211028T172544 2672761

audit: type=1326 audit(1635672035.070:90): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=24708 comm="syz-executor.5" exe="/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x469dcd code=0x0
tc_dump_action: action bad kind
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 24688 Comm: syz-executor.2 Not tainted 5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 lock_acquire kernel/locking/lockdep.c:5625 [inline]
 lock_acquire+0x1a2/0x490 kernel/locking/lockdep.c:5590
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7dd6c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057c038 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057c038
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7dd6dc0
Modules linked in:
---[ end trace 1f692fe5addaaf47 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0
PKRU: 55555554
note: syz-executor.2[24688] exited with preempt_count 1
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 24688, name: syz-executor.2
INFO: lockdep is turned off.
irq event stamp: 2132
hardirqs last  enabled at (2131): [<ffffffff81160aa0>] __local_bh_enable_ip+0xa0/0x110 kernel/softirq.c:388
hardirqs last disabled at (2132): [<ffffffff83ab798e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (2132): [<ffffffff83ab798e>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last  enabled at (2130): [<ffffffff830c4706>] lock_sock include/net/sock.h:1658 [inline]
softirqs last  enabled at (2130): [<ffffffff830c4706>] inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:450 [inline]
softirqs last  enabled at (2130): [<ffffffff830c4706>] inet_csk_accept+0x496/0xd20 net/ipv4/inet_connection_sock.c:497
softirqs last disabled at (2128): [<ffffffff82d0a08d>] spin_lock_bh include/linux/spinlock.h:368 [inline]
softirqs last disabled at (2128): [<ffffffff82d0a08d>] lock_sock_nested+0x5d/0xf0 net/core/sock.c:3288
CPU: 0 PID: 24688 Comm: syz-executor.2 Tainted: G      D           5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 ___might_sleep.cold+0x1f3/0x239 kernel/sched/core.c:9538
 __mutex_lock_common kernel/locking/mutex.c:573 [inline]
 __mutex_lock+0xbd/0x1610 kernel/locking/mutex.c:729
 io_uring_del_tctx_node+0x101/0x330 fs/io_uring.c:9694
 io_uring_clean_tctx fs/io_uring.c:9710 [inline]
 io_uring_cancel_generic+0x5c5/0x750 fs/io_uring.c:9798
 io_uring_files_cancel include/linux/io_uring.h:16 [inline]
 do_exit+0x254/0x2bd0 kernel/exit.c:780
 rewind_stack_do_exit+0x17/0x17 arch/x86/entry/entry_64.S:1441
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7dd6c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057c038 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057c038
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7dd6dc0
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#2] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 24679 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x5a/0x290 kernel/locking/spinlock_debug.c:114
Code: dd de 7a 84 48 c1 ed 03 48 c7 44 24 18 80 f1 28 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4c 24 60 31
RSP: 0018:ffff88802dc979a8 EFLAGS: 00010047
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff0a540a1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000004
RBP: 1ffff11005b92f36 R08: 0000000000000001 R09: fffffbfff0a53e83
R10: ffffffff8529f417 R11: fffffbfff0a53e82 R12: 0000000000000283
R13: ffff88803e61d6c0 R14: ffff888106978012 R15: ffff88802dc97b38
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b06bef1e0 CR3: 0000000113a3e005 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
 _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
Modules linked in:
---[ end trace 1f692fe5addaaf48 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b06bef1e0 CR3: 0000000113a3e005 CR4: 0000000000770ee0
PKRU: 55555554
note: syz-executor.2[24679] exited with preempt_count 1
audit: type=1326 audit(1635672035.950:91): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=24708 comm="syz-executor.5" exe="/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x469dcd code=0x0
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#3] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 24741 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x5a/0x290 kernel/locking/spinlock_debug.c:114
Code: dd de 7a 84 48 c1 ed 03 48 c7 44 24 18 80 f1 28 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4c 24 60 31
RSP: 0018:ffff88810742f9a8 EFLAGS: 00010047
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff0a540a1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000004
RBP: 1ffff11020e85f36 R08: 0000000000000001 R09: fffffbfff0a53e83
R10: ffffffff8529f417 R11: fffffbfff0a53e82 R12: 0000000000000202
R13: ffff88803e5ca8c0 R14: ffff88810697cb12 R15: ffff88810742fb38
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000558978 CR3: 0000000113a3e001 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
 _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
Modules linked in:
---[ end trace 1f692fe5addaaf49 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000558978 CR3: 0000000113a3e001 CR4: 0000000000770ee0
PKRU: 55555554
note: syz-executor.2[24741] exited with preempt_count 1
BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 24741, name: syz-executor.2
INFO: lockdep is turned off.
irq event stamp: 0
hardirqs last  enabled at (0): [<0000000000000000>] 0x0
hardirqs last disabled at (0): [<ffffffff8113e884>] copy_process+0x1904/0x6e80 kernel/fork.c:2135
softirqs last  enabled at (0): [<ffffffff8113e8c5>] copy_process+0x1945/0x6e80 kernel/fork.c:2139
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 1 PID: 24741 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 ___might_sleep.cold+0x1f3/0x239 kernel/sched/core.c:9538
 percpu_down_read include/linux/percpu-rwsem.h:49 [inline]
 cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:722 [inline]
 exit_signals+0x74/0x990 kernel/signal.c:2946
 do_exit+0x268/0x2bd0 kernel/exit.c:781
 rewind_stack_do_exit+0x17/0x17 arch/x86/entry/entry_64.S:1441
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
----------------
Code disassembly (best guess):
   0:	c2 04 41             	retq   $0x4104
   3:	bf 01 00 00 00       	mov    $0x1,%edi
   8:	0f 86 cb 01 00 00    	jbe    0x1d9
   e:	89 05 01 ba c2 04    	mov    %eax,0x4c2ba01(%rip)        # 0x4c2ba15
  14:	e9 c0 01 00 00       	jmpq   0x1d9
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 ea             	mov    %r13,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 ea 27 00 00    	jne    0x281e
  34:	49 81 7d 00 00 44 c0 	cmpq   $0xffffffff85c04400,0x0(%r13)
  3b:	85
  3c:	0f                   	.byte 0xf
  3d:	84 04 f3             	test   %al,(%rbx,%rsi,8)

Config: syz.config.gz
Full syzkaller log: syz.log.gz
@pabeni pabeni self-assigned this Nov 3, 2021
@pabeni pabeni added the bug label Nov 3, 2021
@pabeni
Copy link

pabeni commented Nov 3, 2021

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885

Note that offset 0x18 correspond to socket_wq.wait.lock.key offset inside struct socket_wq
This is likely caused by msk->sk_wq being NULL. Likely the first subflow was orphaned before reaching here.

Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1a2/0x490 kernel/locking/lockdep.c:5590
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
finish_wait+0xc0/0x280 kernel/sched/wait.c:400
inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497

The above acquires the listening TCP socket lock and check its status (TCP_LISTEN), but not for the sk being orphaned. Plain TCP socket can't reach there as orphans, but mptcp subflow possibly can, even if don't see how ?!?

mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319

Here we check for the msk status, but we have to release the msk socket lock bevore invoking proto-level accept(). Adding more checks here will be useless.

@pabeni
Copy link

pabeni commented Nov 3, 2021
edited
Loading

it looks like we have a possible race triggering the above:

(on CPU 0)
listen(msk)
accept(msk)
  |-> mptcp_stream_accept(msk)
        |-> <listen status check successful>

(preempted or on CPU 1)
close(msk)
 |-> <msk->sk_state = TCP_CLOSE, ssk is orphaned, ssk state is unchanged>

(preempted or on CPU 0)
  |-> mptcp_accept()
        |-> inet_csk_accept()
              |-> <ssk status check is successful even if ssk is orphaned: oops>

Note: the above can happen even with no preemption enabled, I think, but is even much more unlikely.

@pabeni
Copy link

pabeni commented Nov 4, 2021

it looks like we have a possible race triggering the above:

(on CPU 0)
listen(msk)
accept(msk)
  |-> mptcp_stream_accept(msk)
        |-> <listen status check successful>

(preempted or on CPU 1)
close(msk)
 |-> <msk->sk_state = TCP_CLOSE, ssk is orphaned, ssk state is unchanged>

Dumb me, the above can't happen: close(msk) will call into sock_release() -> ... -> mptcp_close() only after the struct socket/ inode refcnt goes to 0. In the above scenario, only after accept() completes.

Still looking for the real root cause

@matttbe
Copy link
Member

matttbe commented Dec 2, 2021

Syzkaller had new reproducer, nothing wrong found by looking at the code, syzkaller didn't hit this issue again: we can close this ticket for now and re-open it if something new is reported.

@matttbe matttbe closed this as completed Dec 2, 2021
jenkins-tessares pushed a commit that referenced this issue Jul 20, 2023
@borkmann
selftests/bpf: Add mprog API tests for BPF tcx opts
cd13c91 
Add a big batch of test coverage to assert all aspects of the tcx opts
attach, detach and query API:

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  #238     tc_opts_after:OK
  #239     tc_opts_append:OK
  #240     tc_opts_basic:OK
  #241     tc_opts_before:OK
  #242     tc_opts_chain_classic:OK
  #243     tc_opts_demixed:OK
  #244     tc_opts_detach:OK
  #245     tc_opts_detach_after:OK
  #246     tc_opts_detach_before:OK
  #247     tc_opts_dev_cleanup:OK
  #248     tc_opts_invalid:OK
  #249     tc_opts_mixed:OK
  #250     tc_opts_prepend:OK
  #251     tc_opts_replace:OK
  #252     tc_opts_revision:OK
  Summary: 15/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20230719140858.13224-8-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
matttbe pushed a commit that referenced this issue Aug 17, 2023
@borkmann
selftests/bpf: Add various more tcx test cases
ccd9a8b 
Add several new tcx test cases to improve test coverage. This also includes
a few new tests with ingress instead of clsact qdisc, to cover the fix from
commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free").

  # ./test_progs -t tc
  [...]
  #234     tc_links_after:OK
  #235     tc_links_append:OK
  #236     tc_links_basic:OK
  #237     tc_links_before:OK
  #238     tc_links_chain_classic:OK
  #239     tc_links_chain_mixed:OK
  #240     tc_links_dev_cleanup:OK
  #241     tc_links_dev_mixed:OK
  #242     tc_links_ingress:OK
  #243     tc_links_invalid:OK
  #244     tc_links_prepend:OK
  #245     tc_links_replace:OK
  #246     tc_links_revision:OK
  #247     tc_opts_after:OK
  #248     tc_opts_append:OK
  #249     tc_opts_basic:OK
  #250     tc_opts_before:OK
  #251     tc_opts_chain_classic:OK
  #252     tc_opts_chain_mixed:OK
  #253     tc_opts_delete_empty:OK
  #254     tc_opts_demixed:OK
  #255     tc_opts_detach:OK
  #256     tc_opts_detach_after:OK
  #257     tc_opts_detach_before:OK
  #258     tc_opts_dev_cleanup:OK
  #259     tc_opts_invalid:OK
  #260     tc_opts_mixed:OK
  #261     tc_opts_prepend:OK
  #262     tc_opts_replace:OK
  #263     tc_opts_revision:OK
  [...]
  Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pabeni pabeni

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matttbe @pabeni @mjmartineau