general protection fault in tcp_push

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: e2cd24b6 Linux 4.14.143
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160f11b9600000
kernel config: https://syzkaller.appspot.com/x/.config?x=dcb6107bcdc0039
dashboard link: https://syzkaller.appspot.com/bug?extid=cf762331ca3b8c55c929
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cf7623...@syzkaller.appspotmail.com

input: syz1 as /devices/virtual/input/input18
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 21267 Comm: syz-executor.3 Not tainted 4.14.143 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff88809676c040 task.stack: ffff888073f40000
RIP: 0010:tcp_mark_push net/ipv4/tcp.c:630 [inline]
RIP: 0010:tcp_push+0xe9/0x610 net/ipv4/tcp.c:694
RSP: 0018:ffff888073f47a48 EFLAGS: 00010202
kobject: 'loop1' (ffff8880a4a37720): kobject_uevent_env
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90005e3d000
RDX: 0000000000000007 RSI: ffffffff85231b30 RDI: 0000000000000038
RBP: ffff888073f47a98 R08: ffff8880651f5c5c R09: ffff88809676c8e0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880651f53c0
R13: 0000000000000000 R14: ffff8880651f5c54 R15: 0000000000000000
FS: 00007faa2ed5d700(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c92e000 CR3: 0000000099f3b000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_sendmsg_locked+0x2307/0x3200 net/ipv4/tcp.c:1426
kobject: 'loop1' (ffff8880a4a37720): fill_kobj_path: path
= '/devices/virtual/block/loop1'
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4598e9
RSP: 002b:00007faa2ed5cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004598e9
RDX: 00000000fffffff3 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007faa2ed5d6d4
R13: 00000000004c7880 R14: 00000000004dd188 R15: 00000000ffffffff
Code: 00 4d 8d 84 24 9c 08 00 00 4c 89 45 b8 e8 40 c7 39 fc 48 8d 7b 38 4c
8b 45 b8 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 06 0f 8e 1e 04 00 00 48 b8 00 00 00 00 00
RIP: tcp_mark_push net/ipv4/tcp.c:630 [inline] RSP: ffff888073f47a48
RIP: tcp_push+0xe9/0x610 net/ipv4/tcp.c:694 RSP: ffff888073f47a48
---[ end trace c3a68a2db27b545e ]---
kobject: 'event4' (ffff88806bc84238): kobject_uevent_env


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 968722f5 Linux 4.14.144
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1767b579600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d4e2adafc1879954

dashboard link: https://syzkaller.appspot.com/bug?extid=cf762331ca3b8c55c929
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16eabb59600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1546c9b5600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cf7623...@syzkaller.appspotmail.com

audit: type=1400 audit(1568743966.749:36): avc: denied { map } for
pid=6864 comm="syz-executor588" path="/root/syz-executor588392884"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:

CPU: 0 PID: 6867 Comm: syz-executor588 Not tainted 4.14.144 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

task: ffff888095d94500 task.stack: ffff88808f730000

RIP: 0010:tcp_mark_push net/ipv4/tcp.c:630 [inline]
RIP: 0010:tcp_push+0xe9/0x610 net/ipv4/tcp.c:694

RSP: 0018:ffff88808f737a48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000007 RSI: 0000000000000008 RDI: 0000000000000038
RBP: ffff88808f737a98 R08: ffff88808d32c91c R09: ffff888095d94da0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808d32c080
R13: 0000000000000000 R14: ffff88808d32c914 R15: 0000000000000008
FS: 00007f73452ee700(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000021000000 CR3: 000000009e14a000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_sendmsg_locked+0x2307/0x3200 net/ipv4/tcp.c:1426

tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

RIP: 0033:0x446869
RSP: 002b:00007f73452edd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446869
RDX: ffffffffffffff47 RSI: 00000000200000c0 RDI: 0000000000000005
RBP: 00000000006dbc50 R08: 0000000000000000 R09: 000000000000001a
R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dbc5c
R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
Code: 00 4d 8d 84 24 9c 08 00 00 4c 89 45 b8 e8 c0 c7 39 fc 48 8d 7b 38 4c

8b 45 b8 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 06 0f 8e 1e 04 00 00 48 b8 00 00 00 00 00

RIP: tcp_mark_push net/ipv4/tcp.c:630 [inline] RSP: ffff88808f737a48
RIP: tcp_push+0xe9/0x610 net/ipv4/tcp.c:694 RSP: ffff88808f737a48
---[ end trace e7663ee5316fa09c ]---

[syzbot]

syzbot suspects this bug was fixed by commit:

commit f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4
Author: Christoph Paasch <cpa...@apple.com>
Date: Fri Sep 13 20:08:18 2019 +0000

tcp: Reset send_head when removing skb from write-queue

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15622c2ae00000
start commit: 968722f5 Linux 4.14.144
git tree: linux-4.14.y

kernel config: https://syzkaller.appspot.com/x/.config?x=d4e2adafc1879954
dashboard link: https://syzkaller.appspot.com/bug?extid=cf762331ca3b8c55c929

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16eabb59600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1546c9b5600000

If the result looks correct, please mark the bug fixed by replying with:

#syz fix: tcp: Reset send_head when removing skb from write-queue

For information about bisection process see: https://goo.gl/tpsmEJ#bisection