[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

mjmartineau · 2022-10-22T02:00:46Z

Syzkaller has started reporting a divide error in mptcp_subflow_get_send() (three times in 10 minutes). Tag export/20221021T061837.

(I had not been running syzkaller most of the week due to c_start() warnings triggered by a cpumask bug, which prevented any useful syskaller results)

divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
Code: 49 0f af 5d 10 48 c1 ea 03 80 3c 02 00 0f 85 7d 06 00 00 49 8b 94 24 50 03 00 00 44 89 f0 44 89 f9 48 0f af c2 31 d2 48 01 d8 <48> f7 f1 48 8b 14 24 48 c1 ea 03 49 89 45 10 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000e38f370 EFLAGS: 00010216
RAX: 06e5618100000000 RBX: 00003315a7530468 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8411a48a RDI: ffff888034110fd0
RBP: ffffc9000e38f468 R08: 0000000000000000 R09: ffffffff866ebc17
R10: fffffbfff0cdd782 R11: 0000000000000001 R12: ffff888034110c80
R13: ffff88810c145c00 R14: 00000000fff89798 R15: 0000000000000000
FS:  00007f8cc79d3640(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200c7000 CR3: 000000003779c004 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 __mptcp_push_pending+0x19e/0x770 net/mptcp/protocol.c:1550
 mptcp_sendmsg+0x694/0x19d0 net/mptcp/protocol.c:1813
 inet_sendmsg+0x11f/0x150 net/ipv4/af_inet.c:828
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0x141/0x190 net/socket.c:734
 sock_no_sendpage+0x13d/0x1c0 net/core/sock.c:3219
 inet_sendpage+0x106/0x130 net/ipv4/af_inet.c:846
 kernel_sendpage net/socket.c:3561 [inline]
 kernel_sendpage+0x276/0x820 net/socket.c:3555
 sock_sendpage+0x89/0xb0 net/socket.c:1054
 pipe_to_sendpage+0x2b4/0x390 fs/splice.c:361
 splice_from_pipe_feed fs/splice.c:415 [inline]
 __splice_from_pipe+0x46d/0x8b0 fs/splice.c:559
 splice_from_pipe fs/splice.c:594 [inline]
 generic_splice_sendpage+0xda/0x140 fs/splice.c:743
 do_splice_from fs/splice.c:764 [inline]
 direct_splice_actor+0x115/0x190 fs/splice.c:931
 splice_direct_to_actor+0x338/0x8d0 fs/splice.c:886
 do_splice_direct+0x1bd/0x290 fs/splice.c:974
 do_sendfile+0xb18/0x12e0 fs/read_write.c:1255
 __do_sys_sendfile64 fs/read_write.c:1323 [inline]
 __se_sys_sendfile64 fs/read_write.c:1309 [inline]
 __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1309
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8cc8281e7d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8cc79d3028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f8cc83c1050 RCX: 00007f8cc8281e7d
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f8cc82f3593 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000800002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f8cc83c1050 R15: 00007f8cc79b3000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
Code: 49 0f af 5d 10 48 c1 ea 03 80 3c 02 00 0f 85 7d 06 00 00 49 8b 94 24 50 03 00 00 44 89 f0 44 89 f9 48 0f af c2 31 d2 48 01 d8 <48> f7 f1 48 8b 14 24 48 c1 ea 03 49 89 45 10 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000e38f370 EFLAGS: 00010216
RAX: 06e5618100000000 RBX: 00003315a7530468 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8411a48a RDI: ffff888034110fd0
RBP: ffffc9000e38f468 R08: 0000000000000000 R09: ffffffff866ebc17
R10: fffffbfff0cdd782 R11: 0000000000000001 R12: ffff888034110c80
R13: ffff88810c145c00 R14: 00000000fff89798 R15: 0000000000000000
FS:  00007f8cc79d3640(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204b0000 CR3: 000000003779c006 CR4: 0000000000770ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:	49 0f af 5d 10       	imul   0x10(%r13),%rbx
   5:	48 c1 ea 03          	shr    $0x3,%rdx
   9:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   d:	0f 85 7d 06 00 00    	jne    0x690
  13:	49 8b 94 24 50 03 00 	mov    0x350(%r12),%rdx
  1a:	00
  1b:	44 89 f0             	mov    %r14d,%eax
  1e:	44 89 f9             	mov    %r15d,%ecx
  21:	48 0f af c2          	imul   %rdx,%rax
  25:	31 d2                	xor    %edx,%edx
  27:	48 01 d8             	add    %rbx,%rax
* 2a:	48 f7 f1             	div    %rcx <-- trapping instruction
  2d:	48 8b 14 24          	mov    (%rsp),%rdx
  31:	48 c1 ea 03          	shr    $0x3,%rdx
  35:	49 89 45 10          	mov    %rax,0x10(%r13)
  39:	48                   	rex.W
  3a:	b8 00 00 00 00       	mov    $0x0,%eax

Line 1486 of protocol.c is:

	subflow->avg_pacing_rate = div_u64((u64)subflow->avg_pacing_rate * wmem +
					   READ_ONCE(ssk->sk_pacing_rate) * burst,
					   burst + wmem);

So somehow wmem == -burst? (burst is already confirmed as a non-zero value)

report0.gz
log0.gz
config.gz

The text was updated successfully, but these errors were encountered:

Fix this divide error: ---- divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline] RIP: 0010:div_u64 include/linux/math64.h:128 [inline] RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486 ---- Closes: multipath-tcp/mptcp_net-next#314 Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Geliang Tang <geliang.tang@suse.com>

geliangtang · 2022-10-22T07:57:59Z

Mat, I just sent a patch to fix this error:
https://patchwork.kernel.org/project/mptcp/patch/20221022075412.471-1-geliang.tang@suse.com/

…subflow_get_send This reverts commit 8ae8437. The wrapper mptcp_sched_get_send() will be added in the later patch "mptcp: use get_send wrapper", and the wrapper mptcp_sched_get_retrans() will be added in the later patch "mptcp: use get_retrans wrapper". Fix this divide error: ---- divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline] RIP: 0010:div_u64 include/linux/math64.h:128 [inline] RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486 ---- Closes: multipath-tcp/mptcp_net-next#314 Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Geliang Tang <geliang.tang@suse.com>

…subflow_get_send This reverts commit 8ae8437. The wrapper mptcp_sched_get_send() will be added in the later patch "mptcp: use get_send wrapper", and the wrapper mptcp_sched_get_retrans() will be added in the later patch "mptcp: use get_retrans wrapper". Fix this divide error: ---- divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline] RIP: 0010:div_u64 include/linux/math64.h:128 [inline] RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486 ---- Closes: #314 Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Geliang Tang <geliang.tang@suse.com> Link: https://lore.kernel.org/r/95f77f38e54f9564608e844f507701c04745475b.1666668425.git.geliang.tang@suse.com Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>

matttbe · 2022-10-31T15:14:17Z

Now in our tree:

dce423f: "squashed" in "mptcp: add get_subflow wrappers"
Results: 9bcf275..d708694 (export)

Tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20221031T151210

Thank you for the fix!

In case when is64 == 1 in emit(A64_REV32(is64, dst, dst), ctx) the generated insn reverses byte order for both high and low 32-bit words, resuling in an incorrect swap as indicated by the jit test: [ 9757.262607] test_bpf: #312 BSWAP 16: 0x0123456789abcdef -> 0xefcd jited:1 8 PASS [ 9757.264435] test_bpf: #313 BSWAP 32: 0x0123456789abcdef -> 0xefcdab89 jited:1 ret 1460850314 != -271733879 (0x5712ce8a != 0xefcdab89)FAIL (1 times) [ 9757.266260] test_bpf: #314 BSWAP 64: 0x0123456789abcdef -> 0x67452301 jited:1 8 PASS [ 9757.268000] test_bpf: #315 BSWAP 64: 0x0123456789abcdef >> 32 -> 0xefcdab89 jited:1 8 PASS [ 9757.269686] test_bpf: #316 BSWAP 16: 0xfedcba9876543210 -> 0x1032 jited:1 8 PASS [ 9757.271380] test_bpf: #317 BSWAP 32: 0xfedcba9876543210 -> 0x10325476 jited:1 ret -1460850316 != 271733878 (0xa8ed3174 != 0x10325476)FAIL (1 times) [ 9757.273022] test_bpf: #318 BSWAP 64: 0xfedcba9876543210 -> 0x98badcfe jited:1 7 PASS [ 9757.274721] test_bpf: #319 BSWAP 64: 0xfedcba9876543210 >> 32 -> 0x10325476 jited:1 9 PASS Fix this by forcing 32bit variant of rev32. Fixes: 1104247 ("bpf, arm64: Support unconditional bswap") Signed-off-by: Artem Savkov <asavkov@redhat.com> Tested-by: Puranjay Mohan <puranjay12@gmail.com> Acked-by: Puranjay Mohan <puranjay12@gmail.com> Acked-by: Xu Kuohai <xukuohai@huawei.com> Message-ID: <20240321081809.158803-1-asavkov@redhat.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

@2

Recent additions in BPF like cpu v4 instructions, test_bpf module exhibits the following failures: test_bpf: #82 ALU_MOVSX | BPF_B jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times) test_bpf: #83 ALU_MOVSX | BPF_H jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times) test_bpf: #84 ALU64_MOVSX | BPF_B jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times) test_bpf: #85 ALU64_MOVSX | BPF_H jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times) test_bpf: #86 ALU64_MOVSX | BPF_W jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times) test_bpf: #165 ALU_SDIV_X: -6 / 2 = -3 jited:1 ret 2147483645 != -3 (0x7ffffffd != 0xfffffffd)FAIL (1 times) test_bpf: #166 ALU_SDIV_K: -6 / 2 = -3 jited:1 ret 2147483645 != -3 (0x7ffffffd != 0xfffffffd)FAIL (1 times) test_bpf: #169 ALU_SMOD_X: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times) test_bpf: #170 ALU_SMOD_K: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times) test_bpf: #172 ALU64_SMOD_K: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times) test_bpf: #313 BSWAP 16: 0x0123456789abcdef -> 0xefcd eBPF filter opcode 00d7 (@2) unsupported jited:0 301 PASS test_bpf: #314 BSWAP 32: 0x0123456789abcdef -> 0xefcdab89 eBPF filter opcode 00d7 (@2) unsupported jited:0 555 PASS test_bpf: #315 BSWAP 64: 0x0123456789abcdef -> 0x67452301 eBPF filter opcode 00d7 (@2) unsupported jited:0 268 PASS test_bpf: #316 BSWAP 64: 0x0123456789abcdef >> 32 -> 0xefcdab89 eBPF filter opcode 00d7 (@2) unsupported jited:0 269 PASS test_bpf: #317 BSWAP 16: 0xfedcba9876543210 -> 0x1032 eBPF filter opcode 00d7 (@2) unsupported jited:0 460 PASS test_bpf: #318 BSWAP 32: 0xfedcba9876543210 -> 0x10325476 eBPF filter opcode 00d7 (@2) unsupported jited:0 320 PASS test_bpf: #319 BSWAP 64: 0xfedcba9876543210 -> 0x98badcfe eBPF filter opcode 00d7 (@2) unsupported jited:0 222 PASS test_bpf: #320 BSWAP 64: 0xfedcba9876543210 >> 32 -> 0x10325476 eBPF filter opcode 00d7 (@2) unsupported jited:0 273 PASS test_bpf: #344 BPF_LDX_MEMSX | BPF_B eBPF filter opcode 0091 (@5) unsupported jited:0 432 PASS test_bpf: #345 BPF_LDX_MEMSX | BPF_H eBPF filter opcode 0089 (@5) unsupported jited:0 381 PASS test_bpf: #346 BPF_LDX_MEMSX | BPF_W eBPF filter opcode 0081 (@5) unsupported jited:0 505 PASS test_bpf: #490 JMP32_JA: Unconditional jump: if (true) return 1 eBPF filter opcode 0006 (@1) unsupported jited:0 261 PASS test_bpf: Summary: 1040 PASSED, 10 FAILED, [924/1038 JIT'ed] Fix them by adding missing processing. Fixes: daabb2b ("bpf/tests: add tests for cpuv4 instructions") Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://msgid.link/91de862dda99d170697eb79ffb478678af7e0b27.1709652689.git.christophe.leroy@csgroup.eu

geliangtang self-assigned this Oct 22, 2022

matttbe closed this as completed Oct 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

mjmartineau commented Oct 22, 2022

geliangtang commented Oct 22, 2022

matttbe commented Oct 31, 2022

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

Comments

mjmartineau commented Oct 22, 2022

geliangtang commented Oct 22, 2022

matttbe commented Oct 31, 2022