Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:414/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3667 Comm: syz-executor226 Not tainted 6.1.0-rc1-next-20221021-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
tfrc_rx_hist_sample_rtt+0x4ce/0x4e0 net/dccp/ccids/lib/packet_history.c:414
ccid3_hc_rx_packet_recv+0x603/0xf50 net/dccp/ccids/ccid3.c:760
ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
dccp_deliver_input_to_ccids+0xe1/0x260 net/dccp/input.c:176
dccp_rcv_established net/dccp/input.c:374 [inline]
dccp_rcv_established+0x107/0x160 net/dccp/input.c:364
dccp_v4_do_rcv+0x164/0x1a0 net/dccp/ipv4.c:687
sk_backlog_rcv include/net/sock.h:1109 [inline]
__sk_receive_skb+0x294/0x820 net/core/sock.c:565
dccp_v4_rcv+0xfbb/0x18d0 net/dccp/ipv4.c:910
ip_protocol_deliver_rcu+0x9b/0x7c0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2e8/0x4c0 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_local_deliver+0x1aa/0x200 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:455 [inline]
ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:449
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5489
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5603
process_backlog+0x3e0/0x810 net/core/dev.c:5931
__napi_poll+0xb8/0x770 net/core/dev.c:6498
napi_poll net/core/dev.c:6565 [inline]
net_rx_action+0x9fc/0xde0 net/core/dev.c:6676
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_x86_platform_ipi-0xa/0x20
RIP: 0010:rcu_preempt_read_enter kernel/rcu/tree_plugin.h:377 [inline]
RIP: 0010:__rcu_read_lock+0x6a/0xf0 kernel/rcu/tree_plugin.h:400
Code: 25 40 97 03 00 48 8d bd 3c 04 00 00 8b 9b 3c 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 <83> e0 07 83 c3 01 83 c0 03 38 d0 7c 04 84 d2 75 58 48 b8 00 00 00
RSP: 0018:ffffc900040bf2f0 EFLAGS: 00000a03
RAX: ffff888028d0217c RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8189e06c RDI: ffff888028d0217c
RBP: ffff888028d01d40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 000000000008c001 R12: ffffc900040bf420
R13: 0000000000000000 R14: ffff888028d01d40 R15: ffffea0001c5ce00
rcu_read_lock include/linux/rcupdate.h:757 [inline]
is_bpf_text_address+0x11/0x170 kernel/bpf/core.c:713
kernel_text_address kernel/extable.c:125 [inline]
kernel_text_address+0x39/0x80 kernel/extable.c:94
__kernel_text_address+0x9/0x30 kernel/extable.c:79
unwind_get_return_address arch/x86/kernel/unwind_orc.c:342 [inline]
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:337
arch_stack_walk+0x93/0xe0 arch/x86/kernel/stacktrace.c:26
stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:122
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_unpoison_range-0xf/0x10
kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3666 [inline]
__kmem_cache_free+0xab/0x3b0 mm/slub.c:3679
skb_free_head+0xac/0x110 net/core/skbuff.c:760
skb_release_data+0x5e5/0x7f0 net/core/skbuff.c:789
skb_release_all net/core/skbuff.c:854 [inline]
__kfree_skb net/core/skbuff.c:868 [inline]
kfree_skb_reason+0x186/0x4b0 net/core/skbuff.c:891
dccp_qpolicy_top-0xd/0x90
dccp_write_xmit+0x182/0x1d0 net/dccp/output.c:369
dccp_sendmsg+0xaea/0xd20 net/dccp/proto.c:783
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:825
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x334/0x8c0 net/socket.c:2482
___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
__sys_sendmmsg+0x18b/0x460 net/socket.c:2622
__do_sys_sendmmsg net/socket.c:2651 [inline]
__se_sys_sendmmsg net/socket.c:2648 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2648
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7faca2b3fe19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdb441b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007faca2b3fe19
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdb441b20
R13: 00000000000f4240 R14: 000000000000cce5 R15: 00007fffdb441b14
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
ccid3_first_li: No RTT estimate available, using fallback RTT
ccid3_first_li: X_recv==0
BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:691/ccid3_first_li()
CPU: 0 PID: 3859 Comm: syz-executor226 Not tainted 6.1.0-rc1-next-20221021-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ccid3_first_li.cold+0x67/0x17a net/dccp/ccids/ccid3.c:691
tfrc_lh_interval_add+0x640/0x8e0 net/dccp/ccids/lib/loss_interval.c:157
tfrc_rx_handle_loss+0x476/0x2030 net/dccp/ccids/lib/packet_history.c:328
ccid3_hc_rx_packet_recv+0x3a9/0xf50 net/dccp/ccids/ccid3.c:744
ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
dccp_deliver_input_to_ccids+0xe1/0x260 net/dccp/input.c:176
dccp_rcv_established net/dccp/input.c:374 [inline]
dccp_rcv_established+0x107/0x160 net/dccp/input.c:364
dccp_v4_do_rcv+0x164/0x1a0 net/dccp/ipv4.c:687
sk_backlog_rcv include/net/sock.h:1109 [inline]
__sk_receive_skb+0x294/0x820 net/core/sock.c:565
dccp_v4_rcv+0xfbb/0x18d0 net/dccp/ipv4.c:910
ip_protocol_deliver_rcu+0x9b/0x7c0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2e8/0x4c0 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_local_deliver+0x1aa/0x200 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:455 [inline]
ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:449
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5489
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5603
process_backlog+0x3e0/0x810 net/core/dev.c:5931
__napi_poll+0xb8/0x770 net/core/dev.c:6498
napi_poll net/core/dev.c:6565 [inline]
net_rx_action+0x9fc/0xde0 net/core/dev.c:6676
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
do_softirq.part.0+0xde/0x130 kernel/softirq.c:472
do_softirq kernel/softirq.c:464 [inline]
__local_bh_enable_ip+0x102/0x120 kernel/softirq.c:396
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:829 [inline]
ip_finish_output2+0x7d0/0x2170 net/ipv4/ip_output.c:229
__ip_finish_output net/ipv4/ip_output.c:306 [inline]
__ip_finish_output+0x396/0x650 net/ipv4/ip_output.c:288
ip_finish_output+0x2d/0x280 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip_output+0x19f/0x310 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:445 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
__ip_queue_xmit+0x8de/0x1be0 net/ipv4/ip_output.c:532
dccp_transmit_skb+0x7e9/0x1420 net/dccp/output.c:138
dccp_send_sync+0x1c0/0x260 net/dccp/output.c:666
__dccp_rcv_established.constprop.0+0x265/0x3b0 net/dccp/input.c:346
dccp_rcv_established net/dccp/input.c:376 [inline]
dccp_rcv_established+0x112/0x160 net/dccp/input.c:364
dccp_v4_do_rcv+0x164/0x1a0 net/dccp/ipv4.c:687
sk_backlog_rcv include/net/sock.h:1109 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2906
release_sock+0x54/0x1b0 net/core/sock.c:3462
dccp_sendmsg+0x6cc/0xd20 net/dccp/proto.c:785
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:825
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x334/0x8c0 net/socket.c:2482
___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
__sys_sendmmsg+0x18b/0x460 net/socket.c:2622
__do_sys_sendmmsg net/socket.c:2651 [inline]
__se_sys_sendmmsg net/socket.c:2648 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2648
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7faca2b3fe19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdb441b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007faca2b3fe19
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdb441b20
R13: 00000000000f4240 R14: 000000000000de68 R15: 00007fffdb441b14
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1534/dccp_feat_activate_values()
BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:414/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 4032 Comm: syz-executor226 Not tainted 6.1.0-rc1-next-20221021-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
tfrc_rx_hist_sample_rtt+0x4ce/0x4e0 net/dccp/ccids/lib/packet_history.c:414
ccid3_hc_rx_packet_recv+0x603/0xf50 net/dccp/ccids/ccid3.c:760
ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
dccp_deliver_input_to_ccids+0xe1/0x260 net/dccp/input.c:176
dccp_rcv_established net/dccp/input.c:374 [inline]
dccp_rcv_established+0x107/0x160 net/dccp/input.c:364
dccp_v4_do_rcv+0x164/0x1a0 net/dccp/ipv4.c:687
sk_backlog_rcv include/net/sock.h:1109 [inline]
__sk_receive_skb+0x294/0x820 net/core/sock.c:565
dccp_v4_rcv+0xfbb/0x18d0 net/dccp/ipv4.c:910
ip_protocol_deliver_rcu+0x9b/0x7c0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2e8/0x4c0 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_local_deliver+0x1aa/0x200 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:455 [inline]
ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:449
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5489
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5603
process_backlog+0x3e0/0x810 net/core/dev.c:5931
__napi_poll+0xb8/0x770 net/core/dev.c:6498
napi_poll net/core/dev.c:6565 [inline]
net_rx_action+0x9fc/0xde0 net/core/dev.c:6676
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
do_softirq.part.0+0xde/0x130 kernel/softirq.c:472
do_softirq kernel/softirq.c:464 [inline]
__local_bh_enable_ip+0x102/0x120 kernel/softirq.c:396
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:829 [inline]
ip_finish_output2+0x7d0/0x2170 net/ipv4/ip_output.c:229
__ip_finish_output net/ipv4/ip_output.c:306 [inline]
__ip_finish_output+0x396/0x650 net/ipv4/ip_output.c:288
ip_finish_output+0x2d/0x280 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip_output+0x19f/0x310 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:445 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
__ip_queue_xmit+0x8de/0x1be0 net/ipv4/ip_output.c:532
dccp_transmit_skb+0x7e9/0x1420 net/dccp/output.c:138
dccp_send_sync+0x1c0/0x260 net/dccp/output.c:666
__dccp_rcv_established.constprop.0+0x265/0x3b0 net/dccp/input.c:346
dccp_rcv_established net/dccp/input.c:376 [inline]
dccp_rcv_established+0x112/0x160 net/dccp/input.c:364
dccp_v4_do_rcv+0x164/0x1a0 net/dccp/ipv4.c:687
sk_backlog_rcv include/net/sock.h:1109 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2906
release_sock+0x54/0x1b0 net/core/sock.c:3462
dccp_sendmsg+0x6cc/0xd20 net/dccp/proto.c:785
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:825
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x334/0x8c0 net/socket.c:2482
___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
__sys_sendmmsg+0x18b/0x460 net/socket.c:2622
__do_sys_sendmmsg net/socket.c:2651 [inline]
__se_sys_sendmmsg net/socket.c:2648 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2648
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7faca2b3fe19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdb441b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007faca2b3fe19
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdb441b20
R13: 00000000000f4240 R14: 000000000000ed6a R15: 00007fffdb441b14
ccid3_first_li: No RTT estimate available, using fallback RTT
BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:691/ccid3_first_li()
CPU: 0 PID: 4053 Comm: syz-executor226 Not tainted 6.1.0-rc1-next-20221021-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ccid3_first_li.cold+0x67/0x17a net/dccp/ccids/ccid3.c:691
tfrc_lh_interval_add+0x640/0x8e0 net/dccp/ccids/lib/loss_interval.c:157
----------------
Code disassembly (best guess):
0: 25 40 97 03 00 and $0x39740,%eax
5: 48 8d bd 3c 04 00 00 lea 0x43c(%rbp),%rdi
c: 8b 9b 3c 04 00 00 mov 0x43c(%rbx),%ebx
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 48 89 fa mov %rdi,%rdx
1f: 48 c1 ea 03 shr $0x3,%rdx
23: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
27: 48 89 f8 mov %rdi,%rax
* 2a: 83 e0 07 and $0x7,%eax <-- trapping instruction
2d: 83 c3 01 add $0x1,%ebx
30: 83 c0 03 add $0x3,%eax
33: 38 d0 cmp %dl,%al
35: 7c 04 jl 0x3b
37: 84 d2 test %dl,%dl
39: 75 58 jne 0x93
3b: 48 rex.W
3c: b8 .byte 0xb8
3d: 00 00 add %al,(%rax)