syzkaller: possible deadlock in `subflow_error_report`

[cpaasch]

Head: 0150d5be08

Trace:

======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc7-g0150d5be0898 #4 Not tainted
------------------------------------------------------
syz-executor627/1119 is trying to acquire lock:
ffff888005e5c130 (slock-AF_INET){+.-.}-{2:2}, at: subflow_error_report (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1717 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1812 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1818 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/subflow.c:1441)

but task is already holding lock:
ffff8880062ecac8 (&queue->rskq_lock){+.-.}-{2:2}, at: inet_csk_reqsk_queue_add (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1302)

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&queue->rskq_lock){+.-.}-{2:2}:
_raw_spin_lock (/home/cpaasch/builder/mptcp_nn_export/./include/linux/spinlock_api_smp.h:134 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/spinlock.c:154)
inet_csk_complete_hashdance (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1302 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1354)
tcp_check_req (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_minisocks.c:817)
tcp_v4_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:2074)
ip_protocol_deliver_rcu (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:205 (discriminator 1))
ip_local_deliver (/home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:793 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:234 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:254)
ip_sublist_rcv_finish (/home/cpaasch/builder/mptcp_nn_export/./include/net/dst.h:454 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:580)
ip_list_rcv_finish.constprop.0 (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:631)
ip_list_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:638)
__netif_receive_skb_list_core (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5527 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5575)
netif_receive_skb_list_internal (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5629 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5718)
napi_complete_done (/home/cpaasch/builder/mptcp_nn_export/./include/linux/list.h:37 /home/cpaasch/builder/mptcp_nn_export/./include/net/gro.h:434 /home/cpaasch/builder/mptcp_nn_export/./include/net/gro.h:429 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6058)
e1000_clean (/home/cpaasch/builder/mptcp_nn_export/drivers/net/ethernet/intel/e1000/e1000_main.c:3811)
__napi_poll.constprop.0 (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6488)
net_rx_action (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6556 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6664)
__do_softirq (/home/cpaasch/builder/mptcp_nn_export/./arch/x86/include/asm/jump_label.h:27 /home/cpaasch/builder/mptcp_nn_export/./include/linux/jump_label.h:207 /home/cpaasch/builder/mptcp_nn_export/./include/trace/events/irq.h:142 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:572)
run_ksoftirqd (/home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:425 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:935 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:926)
smpboot_thread_fn (/home/cpaasch/builder/mptcp_nn_export/kernel/smpboot.c:164 (discriminator 3))
kthread (/home/cpaasch/builder/mptcp_nn_export/kernel/kthread.c:376)
ret_from_fork (/home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/entry_64.S:314)

-> #0 (slock-AF_INET){+.-.}-{2:2}:
__lock_acquire (/home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3098 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3216 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3831 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5055)
lock_acquire (/home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:466 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5670 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5633)
_raw_spin_lock_bh (/home/cpaasch/builder/mptcp_nn_export/./include/linux/spinlock_api_smp.h:127 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/spinlock.c:178)
subflow_error_report (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1717 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1812 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1818 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/subflow.c:1441)
sk_error_report (/home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:347)
tcp_disconnect (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp.c:3210)
inet_child_forget (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:2099 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1276)
inet_csk_reqsk_queue_add (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1304)
tcp_get_cookie_sock (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/syncookies.c:219)
cookie_v4_check (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/syncookies.c:448)
tcp_v4_do_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1670 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1730)
tcp_v4_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:2133)
ip_protocol_deliver_rcu (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:205 (discriminator 1))
ip_local_deliver (/home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:793 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:234 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:254)
ip_rcv (/home/cpaasch/builder/mptcp_nn_export/./include/net/dst.h:454 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:449 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:569)
__netif_receive_skb_one_core (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5484 (discriminator 4))
__netif_receive_skb (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5598)
process_backlog (/home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:793 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5927)
__napi_poll.constprop.0 (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6488)
net_rx_action (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6556 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6664)
__do_softirq (/home/cpaasch/builder/mptcp_nn_export/./arch/x86/include/asm/jump_label.h:27 /home/cpaasch/builder/mptcp_nn_export/./include/linux/jump_label.h:207 /home/cpaasch/builder/mptcp_nn_export/./include/trace/events/irq.h:142 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:572)
do_softirq (/home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:472 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:459)
__local_bh_enable_ip (/home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:396)
ip_finish_output2 (/home/cpaasch/builder/mptcp_nn_export/./include/linux/bottom_half.h:33 /home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:834 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:229)
__ip_finish_output (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:306)
ip_local_out (/home/cpaasch/builder/mptcp_nn_export/./include/net/dst.h:444 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:126)
__ip_queue_xmit (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:532)
__tcp_transmit_skb (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:1399 (discriminator 4))
__tcp_send_ack.part.0 (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:3984)
tcp_send_ack (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:3990)
tcp_rcv_state_process (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_input.c:6502 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_input.c:6501)
tcp_v4_do_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1744)
__release_sock (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1113 /home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:2932)
release_sock (/home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:3504)
mptcp_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1745 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1778)
inet_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/af_inet.c:833 (discriminator 5))
____sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:722 /home/cpaasch/builder/mptcp_nn_export/net/socket.c:745 /home/cpaasch/builder/mptcp_nn_export/net/socket.c:2501)
___sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:2557)
__sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:2586)
do_syscall_64 (/home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/common.c:50 /home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (/home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/entry_64.S:120)

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0                    CPU1
----                    ----
lock(&queue->rskq_lock);
lock(slock-AF_INET);
lock(&queue->rskq_lock);
lock(slock-AF_INET);

*** DEADLOCK ***

7 locks held by syz-executor627/1119:
#0: ffff888005e5b6f0 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1775)
#1: ffff8880062ed1b0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: mptcp_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1736 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1778)
#2: ffffffff8293eea0 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:455)
#3: ffffffff8293eea0 (rcu_read_lock){....}-{1:2}, at: process_backlog (/home/cpaasch/builder/mptcp_nn_export/./include/linux/skbuff.h:2332 /home/cpaasch/builder/mptcp_nn_export/./include/linux/skbuff.h:2352 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5924)
#4: ffffffff8293eea0 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver (/home/cpaasch/builder/mptcp_nn_export/./include/linux/skbuff.h:2622 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:230 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:254)
#5: ffff8880062edcb0 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock (/home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:2277)
#6: ffff8880062ecac8 (&queue->rskq_lock){+.-.}-{2:2}, at: inet_csk_reqsk_queue_add (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1302)

stack backtrace:
CPU: 1 PID: 1119 Comm: syz-executor627 Not tainted 6.2.0-rc7-g0150d5be0898 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (/home/cpaasch/builder/mptcp_nn_export/lib/dump_stack.c:107 (discriminator 4))
check_noncircular (/home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:2180)
__lock_acquire (/home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3098 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3216 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:3831 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5055)
lock_acquire (/home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:466 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5670 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/lockdep.c:5633)
_raw_spin_lock_bh (/home/cpaasch/builder/mptcp_nn_export/./include/linux/spinlock_api_smp.h:127 /home/cpaasch/builder/mptcp_nn_export/kernel/locking/spinlock.c:178)
subflow_error_report (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1717 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1812 /home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1818 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/subflow.c:1441)
sk_error_report (/home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:347)
tcp_disconnect (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp.c:3210)
inet_child_forget (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:2099 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1276)
inet_csk_reqsk_queue_add (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/inet_connection_sock.c:1304)
tcp_get_cookie_sock (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/syncookies.c:219)
cookie_v4_check (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/syncookies.c:448)
tcp_v4_do_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1670 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1730)
tcp_v4_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:2133)
ip_protocol_deliver_rcu (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:205 (discriminator 1))
ip_local_deliver (/home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:793 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:234 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:254)
ip_rcv (/home/cpaasch/builder/mptcp_nn_export/./include/net/dst.h:454 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:449 /home/cpaasch/builder/mptcp_nn_export/./include/linux/netfilter.h:411 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_input.c:569)
__netif_receive_skb_one_core (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5484 (discriminator 4))
__netif_receive_skb (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5598)
process_backlog (/home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:793 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:5927)
__napi_poll.constprop.0 (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6488)
net_rx_action (/home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6556 /home/cpaasch/builder/mptcp_nn_export/net/core/dev.c:6664)
__do_softirq (/home/cpaasch/builder/mptcp_nn_export/./arch/x86/include/asm/jump_label.h:27 /home/cpaasch/builder/mptcp_nn_export/./include/linux/jump_label.h:207 /home/cpaasch/builder/mptcp_nn_export/./include/trace/events/irq.h:142 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:572)
do_softirq (/home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:472 /home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:459)
</IRQ>
<TASK>
__local_bh_enable_ip (/home/cpaasch/builder/mptcp_nn_export/kernel/softirq.c:396)
ip_finish_output2 (/home/cpaasch/builder/mptcp_nn_export/./include/linux/bottom_half.h:33 /home/cpaasch/builder/mptcp_nn_export/./include/linux/rcupdate.h:834 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:229)
__ip_finish_output (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:306)
ip_local_out (/home/cpaasch/builder/mptcp_nn_export/./include/net/dst.h:444 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:126)
__ip_queue_xmit (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/ip_output.c:532)
__tcp_transmit_skb (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:1399 (discriminator 4))
__tcp_send_ack.part.0 (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:3984)
tcp_send_ack (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_output.c:3990)
tcp_rcv_state_process (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_input.c:6502 /home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_input.c:6501)
tcp_v4_do_rcv (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/tcp_ipv4.c:1744)
__release_sock (/home/cpaasch/builder/mptcp_nn_export/./include/net/sock.h:1113 /home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:2932)
release_sock (/home/cpaasch/builder/mptcp_nn_export/net/core/sock.c:3504)
mptcp_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1745 /home/cpaasch/builder/mptcp_nn_export/net/mptcp/protocol.c:1778)
inet_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/ipv4/af_inet.c:833 (discriminator 5))
____sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:722 /home/cpaasch/builder/mptcp_nn_export/net/socket.c:745 /home/cpaasch/builder/mptcp_nn_export/net/socket.c:2501)
___sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:2557)
__sys_sendmsg (/home/cpaasch/builder/mptcp_nn_export/net/socket.c:2586)
do_syscall_64 (/home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/common.c:50 /home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (/home/cpaasch/builder/mptcp_nn_export/arch/x86/entry/entry_64.S:120)
RIP: 0033:0x7fa78a5526a9
Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
All code
========
   0:   5c                      pop    %rsp
   1:   c3                      retq
   2:   66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
   9:   00 00 00
   c:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
  11:   48 89 f8                mov    %rdi,%rax
  14:   48 89 f7                mov    %rsi,%rdi
  17:   48 89 d6                mov    %rdx,%rsi
  1a:   48 89 ca                mov    %rcx,%rdx
  1d:   4d 89 c2                mov    %r8,%r10
  20:   4d 89 c8                mov    %r9,%r8
  23:   4c 8b 4c 24 08          mov    0x8(%rsp),%r9
  28:   0f 05                   syscall
  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax     <-- trapping instruction
  30:   73 01                   jae    0x33
  32:   c3                      retq
  33:   48 8b 0d 4f 37 0d 00    mov    0xd374f(%rip),%rcx        # 0xd3789
  3a:   f7 d8                   neg    %eax
  3c:   64 89 01                mov    %eax,%fs:(%rcx)
  3f:   48                      rex.W

Code starting with the faulting instruction
===========================================
   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
   6:   73 01                   jae    0x9
   8:   c3                      retq
   9:   48 8b 0d 4f 37 0d 00    mov    0xd374f(%rip),%rcx        # 0xd375f
  10:   f7 d8                   neg    %eax
  12:   64 89 01                mov    %eax,%fs:(%rcx)
  15:   48                      rex.W
RSP: 002b:00007fa78a47fe38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000607208 RCX: 00007fa78a5526a9
RDX: 0000000020040000 RSI: 0000000020000340 RDI: 0000000000000004
RBP: 0000000000607200 R08: 00007ffc736f3d48 R09: 00007ffc736f3d48
R10: 00007ffc736f3d48 R11: 0000000000000246 R12: 000000000060720c
R13: ffffffffffffff80 R14: 000000000000000b R15: 000000000001ff00
</TASK>
net_ratelimit: 1040 callbacks suppressed
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
net_ratelimit: 1135 callbacks suppressed
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.
TCP: request_sock_subflow_v4: Possible SYN flooding on port 172.20.20.170:20004. Sending cookies.

Reproducer:

# {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f0000000040)={0x2, 0x4e24, @multicast2}, 0x10)
connect$inet(r0, &(0x7f00000000c0)={0x2, 0x0, @local}, 0x10)
listen(r0, 0x0)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmsg$inet(r1, &(0x7f0000000340)={&(0x7f0000000000)={0x2, 0x4e24, @local}, 0x10, 0x0}, 0x20040000) (async)
sendmmsg$inet(r0, &(0x7f0000002f80)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20000000)

Kconfig: Kconfig_k5_lockdep.txt

C-repro: repro_subflow_error_report.c.txt

[cpaasch]

FYI: Suggested fix from #354 resolves the issue.

[cpaasch]

FYI: bisected to 7d803344fdc3 - which is in v6.2-rc3

[matttbe]

Just not to be confused, here is the fix for #355 from Paolo:

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 8b46311b8d5e..8d4c6e75c6a3 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1437,6 +1437,9 @@ static void subflow_error_report(struct sock *ssk)
 {
        struct sock *sk = mptcp_subflow_ctx(ssk)->conn;

+       if (!sk->sk_socket)
+               return;
+
        mptcp_data_lock(sk);
        if (!sock_owned_by_user(sk))
                __mptcp_error_report(sk);