[syzkaller] general protection fault in inet_csk_accept (called by mptcp_accept)

mjmartineau commented 3 years ago

Syzkaller (with CONFIG_PREEMPT in the target kernel) found the following. One occurrence, no reproducer, tag export/20211028T172544 https://github.com/multipath-tcp/mptcp_net-next/commit/267276196f68c6347becd881381195009e31e634

audit: type=1326 audit(1635672035.070:90): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=24708 comm="syz-executor.5" exe="/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x469dcd code=0x0
tc_dump_action: action bad kind
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 24688 Comm: syz-executor.2 Not tainted 5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 lock_acquire kernel/locking/lockdep.c:5625 [inline]
 lock_acquire+0x1a2/0x490 kernel/locking/lockdep.c:5590
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7dd6c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057c038 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057c038
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7dd6dc0
Modules linked in:
---[ end trace 1f692fe5addaaf47 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0
PKRU: 55555554
note: syz-executor.2[24688] exited with preempt_count 1
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 24688, name: syz-executor.2
INFO: lockdep is turned off.
irq event stamp: 2132
hardirqs last  enabled at (2131): [<ffffffff81160aa0>] __local_bh_enable_ip+0xa0/0x110 kernel/softirq.c:388
hardirqs last disabled at (2132): [<ffffffff83ab798e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (2132): [<ffffffff83ab798e>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last  enabled at (2130): [<ffffffff830c4706>] lock_sock include/net/sock.h:1658 [inline]
softirqs last  enabled at (2130): [<ffffffff830c4706>] inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:450 [inline]
softirqs last  enabled at (2130): [<ffffffff830c4706>] inet_csk_accept+0x496/0xd20 net/ipv4/inet_connection_sock.c:497
softirqs last disabled at (2128): [<ffffffff82d0a08d>] spin_lock_bh include/linux/spinlock.h:368 [inline]
softirqs last disabled at (2128): [<ffffffff82d0a08d>] lock_sock_nested+0x5d/0xf0 net/core/sock.c:3288
CPU: 0 PID: 24688 Comm: syz-executor.2 Tainted: G      D           5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 ___might_sleep.cold+0x1f3/0x239 kernel/sched/core.c:9538
 __mutex_lock_common kernel/locking/mutex.c:573 [inline]
 __mutex_lock+0xbd/0x1610 kernel/locking/mutex.c:729
 io_uring_del_tctx_node+0x101/0x330 fs/io_uring.c:9694
 io_uring_clean_tctx fs/io_uring.c:9710 [inline]
 io_uring_cancel_generic+0x5c5/0x750 fs/io_uring.c:9798
 io_uring_files_cancel include/linux/io_uring.h:16 [inline]
 do_exit+0x254/0x2bd0 kernel/exit.c:780
 rewind_stack_do_exit+0x17/0x17 arch/x86/entry/entry_64.S:1441
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7dd6c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057c038 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057c038
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7dd6dc0
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#2] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 24679 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x5a/0x290 kernel/locking/spinlock_debug.c:114
Code: dd de 7a 84 48 c1 ed 03 48 c7 44 24 18 80 f1 28 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4c 24 60 31
RSP: 0018:ffff88802dc979a8 EFLAGS: 00010047
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff0a540a1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000004
RBP: 1ffff11005b92f36 R08: 0000000000000001 R09: fffffbfff0a53e83
R10: ffffffff8529f417 R11: fffffbfff0a53e82 R12: 0000000000000283
R13: ffff88803e61d6c0 R14: ffff888106978012 R15: ffff88802dc97b38
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b06bef1e0 CR3: 0000000113a3e005 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
 _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
Modules linked in:
---[ end trace 1f692fe5addaaf48 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b06bef1e0 CR3: 0000000113a3e005 CR4: 0000000000770ee0
PKRU: 55555554
note: syz-executor.2[24679] exited with preempt_count 1
audit: type=1326 audit(1635672035.950:91): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=24708 comm="syz-executor.5" exe="/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x469dcd code=0x0
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#3] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 24741 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x5a/0x290 kernel/locking/spinlock_debug.c:114
Code: dd de 7a 84 48 c1 ed 03 48 c7 44 24 18 80 f1 28 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4c 24 60 31
RSP: 0018:ffff88810742f9a8 EFLAGS: 00010047
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff0a540a1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000004
RBP: 1ffff11020e85f36 R08: 0000000000000001 R09: fffffbfff0a53e83
R10: ffffffff8529f417 R11: fffffbfff0a53e82 R12: 0000000000000202
R13: ffff88803e5ca8c0 R14: ffff88810697cb12 R15: ffff88810742fb38
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000558978 CR3: 0000000113a3e001 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
 _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x280 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871
 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742
 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319
 do_accept+0x385/0x520 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
Modules linked in:
---[ end trace 1f692fe5addaaf49 ]---
RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885
Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3
RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018
RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fcdc7df8700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000558978 CR3: 0000000113a3e001 CR4: 0000000000770ee0
PKRU: 55555554
note: syz-executor.2[24741] exited with preempt_count 1
BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 24741, name: syz-executor.2
INFO: lockdep is turned off.
irq event stamp: 0
hardirqs last  enabled at (0): [<0000000000000000>] 0x0
hardirqs last disabled at (0): [<ffffffff8113e884>] copy_process+0x1904/0x6e80 kernel/fork.c:2135
softirqs last  enabled at (0): [<ffffffff8113e8c5>] copy_process+0x1945/0x6e80 kernel/fork.c:2139
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 1 PID: 24741 Comm: syz-executor.2 Tainted: G      D W         5.15.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 ___might_sleep.cold+0x1f3/0x239 kernel/sched/core.c:9538
 percpu_down_read include/linux/percpu-rwsem.h:49 [inline]
 cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:722 [inline]
 exit_signals+0x74/0x990 kernel/signal.c:2946
 do_exit+0x268/0x2bd0 kernel/exit.c:781
 rewind_stack_do_exit+0x17/0x17 arch/x86/entry/entry_64.S:1441
RIP: 0033:0x469dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcdc7df7c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 0000000000469dcd
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004d4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf80
R13: 00007ffedb1cc23f R14: 00007ffedb1cc3e0 R15: 00007fcdc7df7dc0
----------------
Code disassembly (best guess):
   0:   c2 04 41                retq   $0x4104
   3:   bf 01 00 00 00          mov    $0x1,%edi
   8:   0f 86 cb 01 00 00       jbe    0x1d9
   e:   89 05 01 ba c2 04       mov    %eax,0x4c2ba01(%rip)        # 0x4c2ba15
  14:   e9 c0 01 00 00          jmpq   0x1d9
  19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  20:   fc ff df
  23:   4c 89 ea                mov    %r13,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
* 2a:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:   0f 85 ea 27 00 00       jne    0x281e
  34:   49 81 7d 00 00 44 c0    cmpq   $0xffffffff85c04400,0x0(%r13)
  3b:   85
  3c:   0f                      .byte 0xf
  3d:   84 04 f3                test   %al,(%rbx,%rsi,8)

Config: syz.config.gz Full syzkaller log: syz.log.gz

pabeni commented 2 years ago

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:__lock_acquire+0xdc5/0x5160 kernel/locking/lockdep.c:4885

Note that offset 0x18 correspond to socket_wq.wait.lock.key offset inside struct socket_wq This is likely caused by msk->sk_wq being NULL. Likely the first subflow was orphaned before reaching here.

Code: c2 04 41 bf 01 00 00 00 0f 86 cb 01 00 00 89 05 01 ba c2 04 e9 c0 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 ea 27 00 00 49 81 7d 00 00 44 c0 85 0f 84 04 f3 RSP: 0018:ffff88802c86f7e0 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 1ffff1100590df2d RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000018 RBP: ffff8880373ec180 R08: 0000000000000001 R09: 0000000000000001 R10: ffff88811b03084b R11: ffffed1023606109 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fcdc7dd7700(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcdc7d73db8 CR3: 0000000113a3e001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: lock_acquire kernel/locking/lockdep.c:5625 [inline] lock_acquire+0x1a2/0x490 kernel/locking/lockdep.c:5590 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 finish_wait+0xc0/0x280 kernel/sched/wait.c:400 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline] inet_csk_accept+0xa69/0xd20 net/ipv4/inet_connection_sock.c:497

The above acquires the listening TCP socket lock and check its status (TCP_LISTEN), but not for the sk being orphaned. Plain TCP socket can't reach there as orphans, but mptcp subflow possibly can, even if don't see how ?!?

mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2871 inet_accept+0xeb/0x790 net/ipv4/af_inet.c:742 mptcp_stream_accept+0x2e9/0x10c0 net/mptcp/protocol.c:3319

Here we check for the msk status, but we have to release the msk socket lock bevore invoking proto-level accept(). Adding more checks here will be useless.

pabeni commented 2 years ago

it looks like we have a possible race triggering the above:

(on CPU 0)
listen(msk)
accept(msk)
  |-> mptcp_stream_accept(msk)
        |-> <listen status check successful>

(preempted or on CPU 1)
close(msk)
 |-> <msk->sk_state = TCP_CLOSE, ssk is orphaned, ssk state is unchanged>

(preempted or on CPU 0)
  |-> mptcp_accept()
        |-> inet_csk_accept()
              |-> <ssk status check is successful even if ssk is orphaned: oops>

Note: the above can happen even with no preemption enabled, I think, but is even much more unlikely.

pabeni commented 2 years ago

it looks like we have a possible race triggering the above:


(on CPU 0)
listen(msk)
accept(msk)
  |-> mptcp_stream_accept(msk)
        |-> <listen status check successful>

(preempted or on CPU 1)
close(msk)
 |-> <msk->sk_state = TCP_CLOSE, ssk is orphaned, ssk state is unchanged>

Dumb me, the above can't happen: close(msk) will call into sock_release() -> ... -> mptcp_close() only after the struct socket/ inode refcnt goes to 0. In the above scenario, only after accept() completes.

Still looking for the real root cause

matttbe commented 2 years ago

Syzkaller had new reproducer, nothing wrong found by looking at the code, syzkaller didn't hit this issue again: we can close this ticket for now and re-open it if something new is reported.

multipath-tcp / mptcp_net-next

[syzkaller] general protection fault in inet_csk_accept (called by mptcp_accept) #239