syzbot


KCSAN: data-race in sctp_poll / sctp_wfree (3)

Status: fixed on 2023/10/12 12:48
Subsystems: sctp
[Documentation on labels]
Fix commit: dc9511dd6f37 sctp: annotate data-races around sk->sk_wmem_queued
First crash: 469d, last: 469d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in sctp_poll / sctp_wfree sctp 2 1827d 1828d 0/28 auto-closed as invalid on 2020/02/16 05:26
upstream KCSAN: data-race in sctp_poll / sctp_wfree (2) sctp 3 1340d 1343d 0/28 auto-closed as invalid on 2021/05/17 10:01

Sample crash report:
==================================================================
BUG: KCSAN: data-race in sctp_poll / sctp_wfree

read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0:
 sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147
 skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988
 skb_release_all net/core/skbuff.c:1000 [inline]
 __kfree_skb+0x16/0x140 net/core/skbuff.c:1016
 consume_skb+0x57/0x180 net/core/skbuff.c:1232
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline]
 sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530
 sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128
 sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515
 sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381
 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
 sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169
 sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051
 sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80
 sctp_rcv+0x116e/0x1340 net/sctp/input.c:243
 sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120
 ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
 ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
 NF_HOOK include/linux/netfilter.h:303 [inline]
 ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
 dst_input include/net/dst.h:468 [inline]
 ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
 NF_HOOK include/linux/netfilter.h:303 [inline]
 ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5452 [inline]
 __netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
 process_backlog+0x21f/0x380 net/core/dev.c:5894
 __napi_poll+0x60/0x3b0 net/core/dev.c:6460
 napi_poll net/core/dev.c:6527 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6660
 __do_softirq+0xc1/0x265 kernel/softirq.c:553
 run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
 smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
 kthread+0x1d7/0x210 kernel/kthread.c:389
 ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1:
 sctp_writeable net/sctp/socket.c:9304 [inline]
 sctp_poll+0x265/0x410 net/sctp/socket.c:8671
 sock_poll+0x253/0x270 net/socket.c:1374
 vfs_poll include/linux/poll.h:88 [inline]
 do_pollfd fs/select.c:873 [inline]
 do_poll fs/select.c:921 [inline]
 do_sys_poll+0x636/0xc00 fs/select.c:1015
 __do_sys_ppoll fs/select.c:1121 [inline]
 __se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101
 __x64_sys_ppoll+0x67/0x80 fs/select.c:1101
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x00019e80 -> 0x0000cc80

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/08/27 13:41 upstream 28f20a19294d 7ba13a15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in sctp_poll / sctp_wfree
* Struck through repros no longer work on HEAD.