[syzkaller] WARNING: refcount bug in mptcp_incoming_options

[cpaasch]

TCP: request_sock_subflow: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 19675 at lib/refcount.c:25 refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 19675 Comm: syz-executor.6 Not tainted 5.11.0-rc6f4cf537c3f631bd20660bf4b037a89317eb2cd74 #69
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25
Code: 02 31 ff 89 de e8 68 87 7a ff 84 db 0f 85 2e ff ff ff e8 0b 80 7a ff 48 c7 c7 40 83 32 83 c6 05 2a 57 12 02 01 e8 be 6f fc 00 <0f> 0b e9 0f ff ff ff e8 ec 7f 7a ff 0f b6 1d 14 57 12 02 31 ff 89
RSP: 0018:ffffc90000007608 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88810b5c8000 RSI: ffffffff8121c6b3 RDI: fffff52000000eb3
RBP: ffff88810659e080 R08: 0000000000000001 R09: 0000000000000000
R10: ffffffff8140169b R11: 0000000000000000 R12: ffff88810659e000
R13: ffff88810659e080 R14: ffff88810659e000 R15: 1dbfa0792f2c52ae
FS:  00007f805836c800(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8058328ef8 CR3: 000000001cff6003 CR4: 0000000000170ef0
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 sock_hold include/net/sock.h:698 [inline]
 mptcp_incoming_options+0x1c00/0x1e20 net/mptcp/options.c:1064
 tcp_data_queue+0x10bd/0x49f0 net/ipv4/tcp_input.c:4945
 tcp_rcv_state_process+0xbe6/0x48f0 net/ipv4/tcp_input.c:6548
 tcp_v4_do_rcv+0x30e/0x860 net/ipv4/tcp_ipv4.c:1698
 tcp_v4_rcv+0x224a/0x2b40 net/ipv4/tcp_ipv4.c:2059
 ip_protocol_deliver_rcu+0x2b/0x200 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_local_deliver+0x2bf/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:447 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_rcv+0xeb/0x140 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5332
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5446
 process_backlog+0x1ad/0x560 net/core/dev.c:6325
 napi_poll net/core/dev.c:6803 [inline]
 net_rx_action+0x3d6/0xe90 net/core/dev.c:6886
 __do_softirq+0x183/0x56f kernel/softirq.c:343
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:246 [inline]
 do_softirq+0x5f/0x80 kernel/softirq.c:233
 __local_bh_enable_ip+0x46/0x50 kernel/softirq.c:196
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:737 [inline]
 ip_finish_output2+0x6d0/0x16f0 net/ipv4/ip_output.c:231
 __ip_finish_output+0x3bb/0x7c0 net/ipv4/ip_output.c:308
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0x184/0x1e0 net/ipv4/ip_output.c:126
 __ip_queue_xmit+0x77a/0x1500 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x2a65/0x35e0 net/ipv4/tcp_output.c:1405
 __tcp_send_ack.part.0+0x3da/0x650 net/ipv4/tcp_output.c:3974
 __tcp_send_ack net/ipv4/tcp_output.c:3980 [inline]
 tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3980
 mptcp_subflow_shutdown+0x1f5/0x2f0 net/mptcp/protocol.c:2417
 __mptcp_check_send_data_fin+0x1d4/0x300 net/mptcp/protocol.c:2486
 __mptcp_wr_shutdown net/mptcp/protocol.c:2502 [inline]
 mptcp_close+0x573/0x750 net/mptcp/protocol.c:2562
 inet_release+0xe9/0x1f0 net/ipv4/af_inet.c:434
 __sock_release+0xd2/0x280 net/socket.c:597
 sock_close+0x15/0x20 net/socket.c:1256
 __fput+0x261/0x940 fs/file_table.c:280
 task_work_run+0x105/0x1c0 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x10a/0x110 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:302
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f8057f4528d
Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd107a0160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007f8057f4528d
RDX: 0000000000000000 RSI: 00000000006acad8 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00000000006acaa0 R09: 0000000000000000
R10: 00000000006aca88 R11: 0000000000000293 R12: 0000000000000048
R13: 00000000006acad8 R14: 0000000000000000 R15: 000000000022d4b6

HEAD: f4cf537c3f63 ("mptcp: init mptcp request socket earlier") (HEAD) (5 days ago) 10f1569c7d9b ("mptcp: fix spurious retransmissions") (5 days ago) 92eab0bc98bc ("DO-NOT-MERGE: mptcp: enabled by default") (tag: export/20210203T131132, mptcp_net-next/export) (5 days ago) 6cf73008bc8e ("DO-NOT-MERGE: mptcp: add GitHub Actions") (5 days ago) 26c89a55761f ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (5 days ago) 6fd2b70123c3 ("mptcp: fix poll after shutdown") (5 days ago) 624d226e9b65 ("mptcp: deliver ssk errors to msk") (5 days ago) 8e1559ffe592 ("mptcp: add netlink event support") (5 days ago) 68f9ec0be460 ("genetlink: add CAP_NET_ADMIN test for multicast bind") (5 days ago) 049f222a9341 ("mptcp: avoid lock_fast usage in accept path") (5 days ago) c9997603655d ("mptcp: pass subflow socket to a few helpers") (5 days ago) 18bcdcc18477 ("mptcp: split __mptcp_close_ssk helper") (5 days ago) 8e7a8bb523ae ("mptcp: move pm netlink work into pm_netlink") (5 days ago) 2317a88153e3 ("mptcp: pm: add lockdep assertions") (5 days ago) e257fdaa8f30 ("selftests: mptcp: add command line arguments for mptcp_join.sh") (5 days ago) 518108eb812b ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (5 days ago) e739cc369933 ("bpf:selftests: add MPTCP test base") (5 days ago) 9e0cb69ba779 ("bpf: add 'bpf_mptcp_sock' structure and helper") (5 days ago) 31bcc185a353 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (5 days ago) 4b4b5dc1f318 ("linux: handle MPTCP consistently with TCP") (5 days ago) 32d1bbb1d609 ("net: fec: Silence M5272 build warnings") (mptcp_net-next/net-next) (6 days ago) fca23f37f3a7 ("inet: do not export inetgro{receive|complete}") (6 days ago) 0256317a6151 ("Merge tag 'mac80211-next-for-net-next-2021-02-02' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next") (6 days ago)

CONFIG-file: CONFIG.txt

[pabeni]

mptcp_incoming_options+0x1c00/0x1e20 net/mptcp/options.c:1064

This is: if (mp_opt.data_fin && mp_opt.data_len == 1 && mptcp_update_rcv_data_fin(msk, mp_opt.data_seq, mp_opt.dsn64) && schedule_work(&msk->work)) sock_hold(subflow->conn); // ^^^^^^^^^ here

The subflow is not in CLOSED, SYN_SENT or SYN_RECV state, because the caller is tcp_rcv_state_process():

  case TCP_ESTABLISHED:
            tcp_data_queue(sk, skb);
            queued = 1;

And there are a few 'fallback' statement above from the non mentioned status possibly leading to that call.

The reference to subflow->conn held by the subflow is released via ulp_release by inet_csk_destroy_sock(), which in turn can happen only if the ssk is in CLOSE state.

Additionally the msk memory is touched just before the reported splat, by schedule_work, apparently without KASAN complain for UaF.

@cpaasch: any luck for reproducer here? How easily could you trigger this one?

[cpaasch]

No, no reproducer yet

[matttbe]

From the weekly meeting we just had:

• @cpaasch: Not happening for at least a week
• @pabeni: Should be fixed thanks to a patch from @fw-strlen
• Can be closed then