Hello,
syzbot found the following crash on:
HEAD commit: 81c310582f0e kmsan: unpoison virtio input buffers when add..
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=1747c21f800000
kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
dashboard link: https://syzkaller.appspot.com/bug?extid=13e1ee9caeab5a9abc62
compiler: clang version 7.0.0 (trunk 334104)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=105f5eaf800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b15b6f800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
WARNING: CPU: 0 PID: 4964 at net/core/stream.c:206
sk_stream_kill_queues+0x944/0x970 net/core/stream.c:206
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4964 Comm: syz-executor457 Not tainted 4.17.0+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
panic+0x3d0/0x990 kernel/panic.c:184
__warn+0x40f/0x580 kernel/panic.c:536
report_bug+0x72a/0x880 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
do_error_trap+0x1c1/0x620 arch/x86/kernel/traps.c:298
do_invalid_op+0x46/0x50 arch/x86/kernel/traps.c:317
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:sk_stream_kill_queues+0x944/0x970 net/core/stream.c:206
RSP: 0018:ffff8801a867f368 EFLAGS: 00010293
RAX: ffffffff87dbf654 RBX: 0000000000000813 RCX: ffff8801ab7bd7c0
RDX: 0000000000000000 RSI: aaaaaaaaaaaab000 RDI: ffffea0000000000
RBP: ffff8801a867f3e8 R08: 0000000000000000 R09: 0000000000000002
R10: ffff8801a66d3a00 R11: ffffffff88c44c40 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000813
inet_csk_destroy_sock+0x2a4/0x5d0 net/ipv4/inet_connection_sock.c:833
tcp_close+0xe37/0x18f0 net/ipv4/tcp.c:2323
tls_sk_proto_close+0xc2f/0xcd0 net/tls/tls_main.c:291
inet_release+0x249/0x2b0 net/ipv4/af_inet.c:427
inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:460
sock_release net/socket.c:594 [inline]
sock_close+0xeb/0x310 net/socket.c:1149
__fput+0x458/0xa30 fs/file_table.c:209
____fput+0x37/0x40 fs/file_table.c:243
task_work_run+0x22e/0x2b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x110e/0x3930 kernel/exit.c:867
do_group_exit+0x1a0/0x360 kernel/exit.c:970
get_signal+0x1405/0x1ec0 kernel/signal.c:2482
do_signal+0xb8/0x1d20 arch/x86/kernel/signal.c:810
exit_to_usermode_loop arch/x86/entry/common.c:162 [inline]
prepare_exit_to_usermode+0x271/0x3a0 arch/x86/entry/common.c:196
syscall_return_slowpath+0xe9/0x710 arch/x86/entry/common.c:265
do_syscall_64+0x1ad/0x230 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x447ce9
RSP: 002b:00007feb54132d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: 0000000000008000 RBX: 00000000006dec5c RCX: 0000000000447ce9
RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000020000000 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dec58
R13: 0100000000000000 R14: 00007feb541339c0 R15: 000000000000000c
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot has bisected this bug to:
commit 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
Author: Dave Watson <[email protected]>
Date: Wed Jun 14 18:37:39 2017 +0000
tls: kernel TLS support
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a8f22e00000
start commit: be779f03 Merge tag 'kbuild-v4.18-2' of git://git.kernel.or..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=117a8f22e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=167a8f22e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=855fb54e1e019da2
dashboard link: https://syzkaller.appspot.com/bug?extid=13e1ee9caeab5a9abc62
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165a0c1f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114591af800000
Reported-by: [email protected]
Fixes: 3c4d7559159b ("tls: kernel TLS support")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
On Mon, 25 Nov 2019 07:59:01 -0800, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
> Author: Dave Watson <[email protected]>
> Date: Wed Jun 14 18:37:39 2017 +0000
>
> tls: kernel TLS support
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a8f22e00000
> start commit: be779f03 Merge tag 'kbuild-v4.18-2' of git://git.kernel.or..
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a8f22e00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=167a8f22e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=855fb54e1e019da2
> dashboard link: https://syzkaller.appspot.com/bug?extid=13e1ee9caeab5a9abc62
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165a0c1f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114591af800000
>
> Reported-by: [email protected]
> Fixes: 3c4d7559159b ("tls: kernel TLS support")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Looking at the repro timeline I'm fairly confident that
commit 9354544cbccf ("net/tls: fix page double free on TX cleanup")
stopped this. Even though it must had been appearing earlier due to a
different bug, because what the mentioned commit fixed was more recent
than the report.
#syz fix: net/tls: fix page double free on TX cleanup