[syzkaller] WARNING in `__mptcp_clean_una`

[cpaasch]

syzkaller-id: 1a7fbf9ed6cbc80305d5bf808b47edb978a3803c

Trace:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 12837 at net/mptcp/protocol.c:1006 __mptcp_clean_una+0x63a/0x660
Modules linked in:
CPU: 1 PID: 12837 Comm: kworker/1:3 Not tainted 6.9.0-rc7-g7da7119fe22b #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__mptcp_clean_una+0x63a/0x660 net/mptcp/protocol.c:1006
Code: e9 cb 0f 2e ff e8 c6 d0 d7 fe 41 8b 86 78 01 00 00 41 03 86 c0 00 00 00 29 c5 85 ed 44 0f 4f ed e9 f3 fb ff ff e8 a6 d0 d7 fe <0f> 0b e9 d6 fa ff ff e8 9a d0 d7 fe 0f 0b e9 3b fc ff ff e8 8e d0
RSP: 0018:ffffc9000068bd08 EFLAGS: 00010293
RAX: ffffffff8249a4ea RBX: ffff88811d100150 RCX: ffff8881003cadc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff82499f60 R09: fefefefefefefeff
R10: 0000000000000018 R11: ffffffff8249e260 R12: 0000000000000000
R13: ffff888131158000 R14: ffff888116196e80 R15: ffff888116197518
FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0015e7000 CR3: 0000000128fae002 CR4: 0000000000170ef0
Call Trace:
 <TASK>
 __mptcp_clean_una_wakeup net/mptcp/protocol.c:1056 [inline]
 mptcp_clean_una_wakeup net/mptcp/protocol.c:1063 [inline]
 __mptcp_retrans+0x7e/0x740 net/mptcp/protocol.c:2616
 mptcp_worker+0x7d4/0xc80 net/mptcp/protocol.c:2768
 process_one_work kernel/workqueue.c:3267 [inline]
 process_scheduled_works+0x257/0x610 kernel/workqueue.c:3348
 worker_thread+0x3a8/0x560 kernel/workqueue.c:3429
 kthread+0x144/0x180 kernel/kthread.c:388
 ret_from_fork+0x4d/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------

Happening on K7

THE REPRODUCERS DON'T WORK FOR ME THOUGH.

Reproducer:

# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r0, &(0x7f0000000180)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x9, 0x3, 0x268, 0x0, 0xffffffff, 0xffffffff, 0xc8, 0xffffffff, 0xc8, 0xffffffff, 0xffffffff, 0x198, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@empty, @private0, [], [], 'dvmrp0\x00', 'batadv0\x00'}, 0x0, 0xa8, 0xc8}, @unspec=@NOTRACK={0x20}}, {{@uncond, 0x0, 0xa8, 0xd0}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0xffffffffffffffff}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x2c8)
sendmmsg$inet6(r0, &(0x7f00000009c0)=[{{0x0, 0x0, &(0x7f0000000400)=[{&(0x7f00000001c0)='\x00', 0x1}], 0x1}}, {{0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000480)='a', 0x1}], 0x1}}, {{0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000300)="f9a69275a50c024d63bac6ae029dd23bb06cb1b76da02cb333fccfbe06e65b0e9b23439992036a3dfeaf54228fa6e2b7ba11c3915bb3db02267b866740e7873a9fcf4f2d3ef7a37cd4b6b711d6f31a4265f9d6b0120fc4b0c81c98f0db4341f0cdfaf02b7eb770a24b7741a5194fbf6d9e2c08cbd7b090e7c4b404211062d35bb9d9616ddd3cf2432009344ecad694de9f88f6194cd740f8a8ab111750a5b774b7ca5e8dea38dee41fc42da4e5b1fe5f82ff84aa6329189d05d5670a74be07c6859281842a5a4e", 0xc7}, {&(0x7f0000000200)="7b5440fbf9942edc32e00cce2a07d4aef857f7ae389c92833cbca050ded847b589bd6d203e06df413698f6f60db7516603b096a5241ad1b4a32d567c3fc455cce9d01345fb2ebb0370518adab90bcb3140440de1ae121d9650b12ff819e2337d78197385b74768304ca0825bc82576624dd737e5d36d4a1f3739383296e4928003ee065393b4240e89809d0cae881377eb7fa52e915d568e870f2938bea026eefd9ed6519f65002287d4f5177480b9ed2712b1604533308826eab539306d2fc5de5ba98b5b17e32bd6d938910e384b40e8a47215f52c2fc2ef16c8dae89b118667dd", 0xe2}], 0x2}}, {{0x0, 0x42, &(0x7f0000003300)=[{&(0x7f0000001040)="92", 0xffffff0a}], 0x1}}, {{0x0, 0x0, 0x0, 0xffffff7f}}], 0x5, 0x0)

C-repro: repro.c.txt

[cpaasch]

Another reproducer on k7:

# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = socket$inet6_mptcp(0xa, 0x1, 0x106)
dup2(r0, r1)
bind$inet6(r1, &(0x7f0000000180)={0xa, 0x4e23, 0x0, @empty}, 0x1c)
listen(r1, 0x0)
setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x4}]}, 0x10)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x4e23, 0x0, @loopback}, 0x63)
sendto$inet6(r2, &(0x7f0000000100)="640e1add0339d84cc557841eb73a912c72ad2db5c8ea919008ed8984bf10ec44b088b460b49e2627ca29972f062454aa3215724132654a0f98858e490916c036cec14a561ad1285d4a8ceb1a943cbf2a4d1b81341e7d15996b350338d09cd4c4d2e38b1151780ed7154652cc9b1ce7ecb2ea85413ce59ebc", 0xfffffffffffffe37, 0x40064880, 0x0, 0x0)

C-repro: repro.c.txt

[pabeni]

this should be solve in current git, after commit 8031b58c3a9b mptcp: ensure snd_una is properly initialized on connect

[pabeni]

@cpaasch: could you please verify the above?

[cpaasch]

Yes, this did not happen anymore in the latest HEADs.