syzbot


KCSAN: data-race in sk_wait_data / tcp_queue_rcv

Status: fixed on 2019/12/13 00:31
Subsystems: net
[Documentation on labels]
Fix commit: f8cc62ca3e66 net: add a READ_ONCE() in skb_peek_tail()
First crash: 1706d, last: 1696d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in sk_wait_data / tcp_queue_rcv

write to 0xffff88808dea5758 of 8 bytes by interrupt on cpu 1:
 __skb_insert include/linux/skbuff.h:1852 [inline]
 __skb_queue_before include/linux/skbuff.h:1958 [inline]
 __skb_queue_tail include/linux/skbuff.h:1991 [inline]
 tcp_queue_rcv+0x1bd/0x380 net/ipv4/tcp_input.c:4684
 tcp_data_queue+0x7bb/0x20b0 net/ipv4/tcp_input.c:4789
 tcp_rcv_established+0x517/0xf50 net/ipv4/tcp_input.c:5705
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 tcp_v4_rcv+0x19dc/0x1bb0 net/ipv4/tcp_ipv4.c:1942
 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:442 [inline]
 ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
 process_backlog+0x1d3/0x420 net/core/dev.c:5955
 napi_poll net/core/dev.c:6392 [inline]
 net_rx_action+0x3ae/0xa90 net/core/dev.c:6460

read to 0xffff88808dea5758 of 8 bytes by task 9697 on cpu 0:
 skb_peek_tail include/linux/skbuff.h:1784 [inline]
 sk_wait_data+0x11a/0x250 net/core/sock.c:2477
 tcp_recvmsg+0x5ae/0x1a30 net/ipv4/tcp.c:2096
 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
 sock_recvmsg_nosec net/socket.c:871 [inline]
 sock_recvmsg net/socket.c:889 [inline]
 sock_recvmsg+0x92/0xb0 net/socket.c:885
 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
 __do_sys_recvmmsg net/socket.c:2703 [inline]
 __se_sys_recvmmsg net/socket.c:2696 [inline]
 __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 9697 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/03 14:03 https://github.com/google/ktsan.git kcsan 05f2236801fe c9610487 .config console log report ci2-upstream-kcsan-gce
2019/10/30 22:15 https://github.com/google/ktsan.git kcsan 05f2236801fe a41ca8fa .config console log report ci2-upstream-kcsan-gce
2019/10/29 05:29 https://github.com/google/ktsan.git kcsan 05f2236801fe 5ea87a66 .config console log report ci2-upstream-kcsan-gce
2019/10/24 08:18 https://github.com/google/ktsan.git kcsan 05f2236801fe d01bb02a .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.