syzbot


KCSAN: data-race in __skb_wait_for_more_packets / __sock_queue_rcv_skb

Status: fixed on 2019/11/23 02:56
Subsystems: net
[Documentation on labels]
Fix commit: 7c422d0ce975 net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
First crash: 1706d, last: 1695d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __skb_wait_for_more_packets / __sock_queue_rcv_skb

write to 0xffff8880af0030d8 of 8 bytes by interrupt on cpu 1:
 __skb_insert include/linux/skbuff.h:1852 [inline]
 __skb_queue_before include/linux/skbuff.h:1958 [inline]
 __skb_queue_tail include/linux/skbuff.h:1991 [inline]
 __sock_queue_rcv_skb+0x369/0x5d0 net/core/sock.c:477
 sock_queue_rcv_skb+0x4f/0x70 net/core/sock.c:494
 rawv6_rcv_skb net/ipv6/raw.c:401 [inline]
 rawv6_rcv+0x4f6/0x930 net/ipv6/raw.c:452
 ipv6_raw_deliver net/ipv6/raw.c:219 [inline]
 raw6_local_deliver+0x268/0x600 net/ipv6/raw.c:235
 ip6_protocol_deliver_rcu+0x27a/0xbe0 net/ipv6/ip6_input.c:359
 ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459
 dst_input include/net/dst.h:442 [inline]
 ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284
 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
 process_backlog+0x1d3/0x420 net/core/dev.c:5955
 napi_poll net/core/dev.c:6392 [inline]
 net_rx_action+0x3ae/0xa90 net/core/dev.c:6460
 __do_softirq+0x115/0x33f kernel/softirq.c:292

read to 0xffff8880af0030d8 of 8 bytes by task 16012 on cpu 0:
 __skb_wait_for_more_packets+0xfa/0x320 net/core/datagram.c:100
 __skb_recv_datagram+0xf0/0x160 net/core/datagram.c:310
 skb_recv_datagram+0x76/0xb0 net/core/datagram.c:321
 rawv6_recvmsg+0x14d/0x7e0 net/ipv6/raw.c:480
 sock_common_recvmsg+0x91/0x100 net/core/sock.c:3131
 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871
 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
 __do_sys_recvmmsg net/socket.c:2703 [inline]
 __se_sys_recvmmsg net/socket.c:2696 [inline]
 __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 16012 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/03 22:54 https://github.com/google/ktsan.git kcsan 05f2236801fe b35fad31 .config console log report ci2-upstream-kcsan-gce
2019/11/03 12:10 https://github.com/google/ktsan.git kcsan 05f2236801fe c9610487 .config console log report ci2-upstream-kcsan-gce
2019/11/02 22:39 https://github.com/google/ktsan.git kcsan 05f2236801fe d603afc9 .config console log report ci2-upstream-kcsan-gce
2019/11/01 18:55 https://github.com/google/ktsan.git kcsan 05f2236801fe 997ccc67 .config console log report ci2-upstream-kcsan-gce
2019/10/29 05:27 https://github.com/google/ktsan.git kcsan 05f2236801fe 5ea87a66 .config console log report ci2-upstream-kcsan-gce
2019/10/29 05:27 https://github.com/google/ktsan.git kcsan 05f2236801fe 5ea87a66 .config console log report ci2-upstream-kcsan-gce
2019/10/26 17:43 https://github.com/google/ktsan.git kcsan 05f2236801fe 25bb509e .config console log report ci2-upstream-kcsan-gce
2019/10/26 05:00 https://github.com/google/ktsan.git kcsan 05f2236801fe 413926c5 .config console log report ci2-upstream-kcsan-gce
2019/10/25 16:14 https://github.com/google/ktsan.git kcsan 05f2236801fe 04ca72cd .config console log report ci2-upstream-kcsan-gce
2019/10/24 14:35 https://github.com/google/ktsan.git kcsan 05f2236801fe d01bb02a .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.