WARNING in tcp_enter_loss (2)

[syzbot]

Hello,

syzbot hit the following crash on net-next commit
a366e300ae9fc466d333e6d8f2bc5d58ed248041 (Wed Mar 7 16:43:19 2018 +0000)
ip6mr: remove synchronize_rcu() in favor of SOCK_RCU_FREE

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5a309...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

RAX: ffffffffffffffda RBX: 00007f2aae9136d4 RCX: 0000000000453e69
RDX: 0000000000000000 RSI: 0000000020000a80 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000483 R14: 00000000006f6ce8 R15: 0000000000000000
WARNING: CPU: 0 PID: 4083 at net/ipv4/tcp_input.c:1955
tcp_enter_loss+0xd28/0xff0 net/ipv4/tcp_input.c:1955
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4083 Comm: rsyslogd Not tainted 4.16.0-rc4+ #256
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:tcp_enter_loss+0xd28/0xff0 net/ipv4/tcp_input.c:1955
RSP: 0000:ffff8801db207360 EFLAGS: 00010206
RAX: ffff8801b6cb2680 RBX: 0000000000000004 RCX: ffffffff84c7abe8
RDX: 0000000000000100 RSI: 0000000000000001 RDI: ffff8801d8352824
RBP: ffff8801db2073e0 R08: ffff88021fff801c R09: ffff88021fff8008
R10: 00000000fc3e77b6 R11: ffff88021fff801d R12: 0000000000000009
R13: ffff8801ab90ecb0 R14: dffffc0000000000 R15: ffff8801d8352000
tcp_retransmit_timer+0xee0/0x2dd0 net/ipv4/tcp_timer.c:485
tcp_write_timer_handler+0x335/0x820 net/ipv4/tcp_timer.c:572
tcp_write_timer+0x153/0x170 net/ipv4/tcp_timer.c:592
call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
</IRQ>
RIP: 0033:0x41ca14
RSP: 002b:00007efd33621d60 EFLAGS: 00000207 ORIG_RAX: ffffffffffffff12
RAX: 0000000000000009 RBX: 0000000001f532e0 RCX: 656c6c616b7a7973
RDX: 0000000001f5346d RSI: 0000000001f1d1d9 RDI: 0000000001f53476
RBP: 0000000000000009 R08: 0000000001f1d1d0 R09: 00007efd35a00250
R10: 645f6b636f6c203f R11: 00007efd35a32a50 R12: 0000000001f1d1d0
R13: 0000000000000009 R14: 00000000000006c7 R15: 00007efd34e56da7
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

syzbot has found reproducer for the following crash on upstream commit
0644f186fc9d77bb5bd198369e59fb28927a3692 (Thu Apr 26 23:36:11 2018 +0000)
Merge tag 'for_linus' of
git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=c5a3099b94cbdd9cd6da

So far this crash happened 2 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5374384306913280
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=4821663019433984
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5119802469253120
Kernel config:
https://syzkaller.appspot.com/x/.config?id=7043958930931867332
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5a309...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

WARNING: CPU: 0 PID: 4456 at net/ipv4/tcp_input.c:1955
tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4456 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
panic+0x22f/0x4de kernel/panic.c:184
__warn.cold.8+0x163/0x1b3 kernel/panic.c:536
report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:ffff8801b66c7560 EFLAGS: 00010293
RAX: ffff8801b66686c0 RBX: 0000000000000001 RCX: ffffffff864ac155
RDX: 0000000000000000 RSI: ffffffff864ac5bf RDI: 0000000000000004
RBP: ffff8801b66c75e0 R08: ffff8801b66686c0 R09: 0000000000000000
R10: ffffed0043fff001 R11: ffff88021fff8017 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8801c8c6dd30 R15: ffff8801d02e5500
WARNING: CPU: 1 PID: 4450 at net/ipv4/tcp_input.c:1955
tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
Modules linked in:
CPU: 1 PID: 4450 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:ffff8801b60b7560 EFLAGS: 00010293
RAX: ffff8801b662e500 RBX: 0000000000000001 RCX: ffffffff864ac155
RDX: 0000000000000000 RSI: ffffffff864ac5bf RDI: 0000000000000004
RBP: ffff8801b60b75e0 R08: ffff8801b662e500 R09: 0000000000000000
R10: ffffed0043fff009 R11: ffff88021fff8057 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8801cc3cf870 R15: ffff8801cd4f0a80
FS: 00000000015e1880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 00000001b631c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
release_sock+0x107/0x2b0 net/core/sock.c:2856
do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
release_sock+0x107/0x2b0 net/core/sock.c:2856
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP: 002b:00007ffe202bc838 EFLAGS: 00000207
ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441bc9
RDX: 0000000000000016 RSI: 0000000000000006 RDI: 0000000000000003
RBP: 00000000006cd018 R08: 000000002000023b R09: 0000000000000010
tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
R10: 0000000020000040 R11: 0000000000000207 R12: 0000000000402810
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
R13: 00000000004028a0 R14: 0000000000000000 R15: 0000000000000000
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP: 002b:00007ffe202bc838 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441bc9
RDX: 0000000000000016 RSI: 0000000000000006 RDI: 0000000000000003
RBP: 00000000006cd018 R08: 000000002000023b R09: 0000000000000010
R10: 0000000020000040 R11: 0000000000000207 R12: 0000000000402810
R13: 00000000004028a0 R14: 0000000000000000 R15: 0000000000000000
Code: 89 a7 38 08 00 00 e9 07 fc ff ff 49 8d 87 78 09 00 00 48 89 45 88 49
8d 87 68 07 00 00 48 89 45 d0 e9 c5 f2 ff ff e8 91 6a 2e fb <0f> 0b e9 98
fb ff ff e8 55 cb 6a fb e9 de f6 ff ff 48 8b 7d d0
irq event stamp: 76541
hardirqs last enabled at (76539): [<ffffffff878009d5>]
restore_regs_and_return_to_kernel+0x0/0x2b
hardirqs last disabled at (76541): [<ffffffff87801166>]
error_entry+0x76/0xd0 arch/x86/entry/entry_64.S:1262
softirqs last enabled at (76528): [<ffffffff87a00778>]
__do_softirq+0x778/0xaf5 kernel/softirq.c:311
softirqs last disabled at (76540): [<ffffffff85d60074>] spin_lock_bh
include/linux/spinlock.h:315 [inline]
softirqs last disabled at (76540): [<ffffffff85d60074>]
release_sock+0x74/0x2b0 net/core/sock.c:2848
---[ end trace a7562162d42a707b ]---

[syzbot]

syzbot has bisected this bug to:

commit a0370b3f3f2cfb8b424b04c0545414abaa53f5ee
Author: Yuchung Cheng <ych...@google.com>
Date: Fri Jan 13 06:11:36 2017 +0000

tcp: enable RACK loss detection to trigger recovery

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114cbdf2e00000
start commit: 0644f186 Merge tag 'for_linus' of git://git.kernel.org/pub..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=134cbdf2e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=154cbdf2e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=61c12b53c2a25ec4
dashboard link: https://syzkaller.appspot.com/bug?extid=c5a3099b94cbdd9cd6da
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112146e7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1317f95b800000

Reported-by: syzbot+c5a309...@syzkaller.appspotmail.com
Fixes: a0370b3f3f2c ("tcp: enable RACK loss detection to trigger recovery")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection