Hello,
syzbot found the following issue on:
HEAD commit: c29e012eae29 selftests: forwarding: Fix layer 2 miss test ..
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14505343280000
kernel config: https://syzkaller.appspot.com/x/.config?x=526f919910d4a671
dashboard link: https://syzkaller.appspot.com/bug?extid=dd1339599f1840e4cc65
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170f2663280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f1c5e7280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/12ab2dfeec70/disk-c29e012e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/424354551939/vmlinux-c29e012e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/40982e9df534/bzImage-c29e012e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5007 at net/kcm/kcmsock.c:533 unreserve_psock+0x2e1/0x6e0 net/kcm/kcmsock.c:533
Modules linked in:
CPU: 0 PID: 5007 Comm: syz-executor222 Not tainted 6.4.0-rc5-syzkaller-01194-gc29e012eae29 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:unreserve_psock+0x2e1/0x6e0 net/kcm/kcmsock.c:533
Code: 3c f8 48 89 ef e8 df b1 ff ff 4c 89 f7 e8 e7 f5 cd 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f e9 c4 f2 3c f8 e8 bf f2 3c f8 <0f> 0b 4c 89 f7 e8 c5 f5 cd 00 eb dc e8 ae f2 3c f8 0f 0b e9 f0 fe
RSP: 0018:ffffc90003a9f6a0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888077f60000 RCX: 0000000000000000
RDX: ffff8880284d3b80 RSI: ffffffff89475391 RDI: ffffc90003a9f630
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52000753ec6 R11: 0000000000000005 R12: ffff88802cfd8000
R13: ffff888077f60000 R14: ffff88802cfd81c0 R15: ffff888077f60598
FS: 000055555562f300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200006c8 CR3: 0000000025a48000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kcm_write_msgs+0x571/0x14b0 net/kcm/kcmsock.c:699
kcm_sendmsg+0x1fe1/0x2720 net/kcm/kcmsock.c:903
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0xde/0x190 net/socket.c:747
____sys_sendmsg+0x344/0x920 net/socket.c:2493
___sys_sendmsg+0x110/0x1b0 net/socket.c:2547
__sys_sendmmsg+0x18f/0x460 net/socket.c:2633
__do_sys_sendmmsg net/socket.c:2662 [inline]
__se_sys_sendmmsg net/socket.c:2659 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2659
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7efed1630b39
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff10fc2e08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efed1630b39
RDX: 0000000000000001 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007efed15f4ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007efed15f4d70
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot has bisected this issue to:
commit c31a25e1db486f36a0ffe3c849b0a82cda3db7db
Author: David Howells <[email protected]>
Date: Fri Jun 9 10:02:21 2023 +0000
kcm: Send multiple frags in one sendmsg()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13050c75280000
start commit: c29e012eae29 selftests: forwarding: Fix layer 2 miss test ..
git tree: net-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=10850c75280000
console output: https://syzkaller.appspot.com/x/log.txt?x=17050c75280000
kernel config: https://syzkaller.appspot.com/x/.config?x=526f919910d4a671
dashboard link: https://syzkaller.appspot.com/bug?extid=dd1339599f1840e4cc65
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170f2663280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f1c5e7280000
Reported-by: [email protected]
Fixes: c31a25e1db48 ("kcm: Send multiple frags in one sendmsg()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Here's a reduced testcase.
David
---
// https://syzkaller.appspot.com/bug?id=6ffe7d1ebf1efaddb7ddd04784b9b22a8562b8d0
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/kcm.h>
#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)
int main(void)
{
struct msghdr msg;
int kcmfd, res;
kcmfd = socket(AF_KCM, SOCK_DGRAM, KCMPROTO_CONNECTED);
OSERROR(kcmfd, "socket");
memset(&msg, 0, sizeof(msg));
res = sendmsg(kcmfd, &msg, 0);
OSERROR(res, "sendmsg");
return 0;
}
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
kcm: Fix unnecessary psock unreservation.
kcm_write_msgs() calls unreserve_psock() to release its hold on the
underlying TCP socket if it has run out of things to transmit, but if we
have nothing in the write queue on entry (e.g. because someone did a
zero-length sendmsg), we don't actually go into the transmission loop and
as a consequence don't call reserve_psock().
Fix this by skipping the call to unreserve_psock() if we didn't reserve a
psock.
Fixes: c31a25e1db48 ("kcm: Send multiple frags in one sendmsg()")
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Signed-off-by: David Howells <[email protected]>
cc: Tom Herbert <[email protected]>
cc: Tom Herbert <[email protected]>
cc: "David S. Miller" <[email protected]>
cc: Eric Dumazet <[email protected]>
cc: Jakub Kicinski <[email protected]>
cc: Paolo Abeni <[email protected]>
cc: Jens Axboe <[email protected]>
cc: Matthew Wilcox <[email protected]>
cc: [email protected]
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index d75d775e9462..d0537c1c8cd7 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -661,6 +661,7 @@ static int kcm_write_msgs(struct kcm_sock *kcm)
kcm_abort_tx_psock(psock, ret ? -ret : EPIPE,
true);
unreserve_psock(kcm);
+ psock = NULL;
txm->started_tx = false;
kcm_report_tx_retry(kcm);
@@ -696,7 +697,8 @@ static int kcm_write_msgs(struct kcm_sock *kcm)
if (!head) {
/* Done with all queued messages. */
WARN_ON(!skb_queue_empty(&sk->sk_write_queue));
- unreserve_psock(kcm);
+ if (psock)
+ unreserve_psock(kcm);
}
/* Check if write space is available */
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: fa0e21fa rtnetlink: extend RTEXT_FILTER_SKIP_STATS to ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=17677753280000
kernel config: https://syzkaller.appspot.com/x/.config?x=526f919910d4a671
dashboard link: https://syzkaller.appspot.com/bug?extid=dd1339599f1840e4cc65
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1299c5e7280000
Note: testing is done by a robot and is best-effort only.