Re: WARNING in tcp_enter_loss (2)

From: syzbot
Date: Fri Apr 27 2018 - 08:16:09 EST


syzbot has found reproducer for the following crash on upstream commit
0644f186fc9d77bb5bd198369e59fb28927a3692 (Thu Apr 26 23:36:11 2018 +0000)
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=c5a3099b94cbdd9cd6da

So far this crash happened 2 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5374384306913280
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4821663019433984
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5119802469253120
Kernel config: https://syzkaller.appspot.com/x/.config?id=7043958930931867332
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5a3099b94cbdd9cd6da@xxxxxxxxxxxxxxxxxxxxxxxxx
It will help syzbot understand when the bug is fixed.

WARNING: CPU: 0 PID: 4456 at net/ipv4/tcp_input.c:1955 tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4456 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
panic+0x22f/0x4de kernel/panic.c:184
__warn.cold.8+0x163/0x1b3 kernel/panic.c:536
report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:ffff8801b66c7560 EFLAGS: 00010293
RAX: ffff8801b66686c0 RBX: 0000000000000001 RCX: ffffffff864ac155
RDX: 0000000000000000 RSI: ffffffff864ac5bf RDI: 0000000000000004
RBP: ffff8801b66c75e0 R08: ffff8801b66686c0 R09: 0000000000000000
R10: ffffed0043fff001 R11: ffff88021fff8017 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8801c8c6dd30 R15: ffff8801d02e5500
WARNING: CPU: 1 PID: 4450 at net/ipv4/tcp_input.c:1955 tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
Modules linked in:
CPU: 1 PID: 4450 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:ffff8801b60b7560 EFLAGS: 00010293
RAX: ffff8801b662e500 RBX: 0000000000000001 RCX: ffffffff864ac155
RDX: 0000000000000000 RSI: ffffffff864ac5bf RDI: 0000000000000004
RBP: ffff8801b60b75e0 R08: ffff8801b662e500 R09: 0000000000000000
R10: ffffed0043fff009 R11: ffff88021fff8057 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8801cc3cf870 R15: ffff8801cd4f0a80
FS: 00000000015e1880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 00000001b631c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
release_sock+0x107/0x2b0 net/core/sock.c:2856
do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
release_sock+0x107/0x2b0 net/core/sock.c:2856
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP: 002b:00007ffe202bc838 EFLAGS: 00000207
ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441bc9
RDX: 0000000000000016 RSI: 0000000000000006 RDI: 0000000000000003
RBP: 00000000006cd018 R08: 000000002000023b R09: 0000000000000010
tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
R10: 0000000020000040 R11: 0000000000000207 R12: 0000000000402810
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
R13: 00000000004028a0 R14: 0000000000000000 R15: 0000000000000000
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP: 002b:00007ffe202bc838 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441bc9
RDX: 0000000000000016 RSI: 0000000000000006 RDI: 0000000000000003
RBP: 00000000006cd018 R08: 000000002000023b R09: 0000000000000010
R10: 0000000020000040 R11: 0000000000000207 R12: 0000000000402810
R13: 00000000004028a0 R14: 0000000000000000 R15: 0000000000000000
Code: 89 a7 38 08 00 00 e9 07 fc ff ff 49 8d 87 78 09 00 00 48 89 45 88 49 8d 87 68 07 00 00 48 89 45 d0 e9 c5 f2 ff ff e8 91 6a 2e fb <0f> 0b e9 98 fb ff ff e8 55 cb 6a fb e9 de f6 ff ff 48 8b 7d d0
irq event stamp: 76541
hardirqs last enabled at (76539): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
hardirqs last disabled at (76541): [<ffffffff87801166>] error_entry+0x76/0xd0 arch/x86/entry/entry_64.S:1262
softirqs last enabled at (76528): [<ffffffff87a00778>] __do_softirq+0x778/0xaf5 kernel/softirq.c:311
softirqs last disabled at (76540): [<ffffffff85d60074>] spin_lock_bh include/linux/spinlock.h:315 [inline]
softirqs last disabled at (76540): [<ffffffff85d60074>] release_sock+0x74/0x2b0 net/core/sock.c:2848
---[ end trace a7562162d42a707b ]---
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..