syzbot


KCSAN: data-race in inet_put_port / mptcp_stream_connect

Status: auto-closed as invalid on 2022/03/24 13:17
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 288d, last: 288d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in inet_put_port / mptcp_stream_connect

write to 0xffff888137d8400e of 2 bytes by interrupt on cpu 1:
 __inet_put_port net/ipv4/inet_hashtables.c:118 [inline]
 inet_put_port+0x112/0x1b0 net/ipv4/inet_hashtables.c:126
 tcp_set_state net/ipv4/tcp.c:2641 [inline]
 tcp_done+0x19f/0x360 net/ipv4/tcp.c:4450
 tcp_reset+0xc6/0x1b0 net/ipv4/tcp_input.c:4314
 tcp_validate_incoming+0xc5b/0xdf0
 tcp_rcv_state_process+0x2c0/0x1250 net/ipv4/tcp_input.c:6450
 tcp_v6_do_rcv+0x5d5/0xa50 net/ipv6/tcp_ipv6.c:1550
 tcp_v6_rcv+0x2048/0x2660 net/ipv6/tcp_ipv6.c:1769
 ip6_protocol_deliver_rcu+0x8ca/0xdf0 net/ipv6/ip6_input.c:422
 ip6_input_finish net/ipv6/ip6_input.c:463 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_input+0x73/0x120 net/ipv6/ip6_input.c:472
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish+0x1de/0x270 net/ipv6/ip6_input.c:76
 ip_sabotage_in+0x11c/0x130 net/bridge/br_netfilter_hooks.c:872
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0x72/0x170 net/netfilter/core.c:619
 nf_hook include/linux/netfilter.h:262 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ipv6_rcv+0x11c/0x140 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core net/core/dev.c:5351 [inline]
 __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5465
 netif_receive_skb_internal+0x37/0x150 net/core/dev.c:5551
 netif_receive_skb+0x16/0x170 net/core/dev.c:5610
 br_netif_receive_skb net/bridge/br_input.c:30 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_pass_frame_up+0x282/0x330 net/bridge/br_input.c:61
 br_handle_frame_finish+0xb02/0xbe0
 br_nf_hook_thresh+0x194/0x1d0
 br_nf_pre_routing_finish_ipv6+0x4e6/0x500
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_nf_pre_routing_ipv6+0x1ea/0x280 net/bridge/br_netfilter_ipv6.c:236
 br_nf_pre_routing+0x4d1/0xb30 net/bridge/br_netfilter_hooks.c:505
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:230 [inline]
 br_handle_frame+0x483/0xbc0 net/bridge/br_input.c:370
 __netif_receive_skb_core+0xa39/0x1e20 net/core/dev.c:5245
 __netif_receive_skb_one_core net/core/dev.c:5349 [inline]
 __netif_receive_skb+0x52/0x1b0 net/core/dev.c:5465
 process_backlog+0x23f/0x3e0 net/core/dev.c:5797
 __napi_poll+0x65/0x3f0 net/core/dev.c:6365
 napi_poll net/core/dev.c:6432 [inline]
 net_rx_action+0x29e/0x650 net/core/dev.c:6519
 __do_softirq+0x158/0x2de kernel/softirq.c:558
 do_softirq+0xb1/0xf0 kernel/softirq.c:459
 __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
 local_bh_enable+0x1b/0x20 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline]
 ip6_finish_output2+0x9d5/0xbe0 net/ipv6/ip6_output.c:127
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 ip6_finish_output+0x446/0x4c0 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_xmit+0x877/0xa60 net/ipv6/ip6_output.c:324
 inet6_csk_xmit+0x1a4/0x1e0 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x1323/0x1840 net/ipv4/tcp_output.c:1402
 tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
 tcp_send_active_reset+0x26d/0x370 net/ipv4/tcp_output.c:3436
 tcp_disconnect+0x2bf/0xef0 net/ipv4/tcp.c:2998
 __tcp_close+0xc9e/0x11d0 net/ipv4/tcp.c:2805
 tcp_close+0x24/0xa0 net/ipv4/tcp.c:2927
 inet_release+0xc6/0xe0 net/ipv4/af_inet.c:428
 inet6_release+0x3a/0x50 net/ipv6/af_inet6.c:478
 __sock_release net/socket.c:650 [inline]
 sock_release+0x40/0xd0 net/socket.c:678
 rds_tcp_accept_one+0xd0/0x670 net/rds/tcp_listen.c:226
 rds_tcp_accept_worker+0x21/0x70 net/rds/tcp.c:515
 process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
 worker_thread+0x616/0xa70 kernel/workqueue.c:2454
 kthread+0x1bf/0x1e0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30

read to 0xffff888137d8400e of 2 bytes by task 13817 on cpu 0:
 mptcp_copy_inaddrs net/mptcp/protocol.c:2815 [inline]
 mptcp_stream_connect+0x59e/0x6b0 net/mptcp/protocol.c:3452
 __sys_connect_file net/socket.c:1900 [inline]
 __sys_connect+0x197/0x1b0 net/socket.c:1917
 __do_sys_connect net/socket.c:1927 [inline]
 __se_sys_connect net/socket.c:1924 [inline]
 __x64_sys_connect+0x3d/0x50 net/socket.c:1924
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

value changed: 0x80b4 -> 0x0000

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 13817 Comm: syz-executor.2 Not tainted 5.17.0-rc4-syzkaller-00054-gf71077a4d84b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-kcsan-gce 2022/02/17 13:11 upstream f71077a4d84b 2bea8a27 .config log report info KCSAN: data-race in inet_put_port / mptcp_stream_connect
* Struck through repros no longer work on HEAD.