[syzbot] [net?] [afs?] WARNING in rxrpc_send_data

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: e58b4771af2b Merge branch 'vxlan-support-user-defined-rese..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16b9a8f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1362a5aee630ff34
dashboard link: https://syzkaller.appspot.com/bug?extid=ff11be94dfcd7a5af8da
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14cb93e8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a3d4df980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b527c0c7acd8/disk-e58b4771.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/41720c9a36cc/vmlinux-e58b4771.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8888d773b743/bzImage-e58b4771.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ff11be...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5822 at net/rxrpc/sendmsg.c:296 rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
WARNING: CPU: 0 PID: 5822 at net/rxrpc/sendmsg.c:296 rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390
Modules linked in:
CPU: 0 UID: 0 PID: 5822 Comm: syz-executor280 Not tainted 6.13.0-rc1-syzkaller-00332-ge58b4771af2b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
RIP: 0010:rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390
Code: 24 48 48 89 de e8 37 38 ab f6 4c 39 f3 b8 00 fe ff ff 41 bf fc ff ff ff 44 0f 44 f8 45 31 f6 e9 71 fd ff ff e8 38 33 ab f6 90 <0f> 0b 90 48 8b 7c 24 28 e8 4a d3 09 f7 e9 46 fd ff ff 89 d9 80 e1
RSP: 0018:ffffc90003d9f620 EFLAGS: 00010293
RAX: ffffffff8af43ee8 RBX: ffff88814e6b4e80 RCX: ffff88802b741e00
RDX: 0000000000000000 RSI: 00000000000000ff RDI: ffff88807d0ea440
RBP: ffffc90003d9f8d0 R08: ffff88807d0ea43f R09: 0000000000000000
R10: ffff88807d0ea340 R11: ffffed100fa1d488 R12: ffff88814e6b4e48
R13: 1ffff11029cd69cf R14: ffff88807d0ea000 R15: 0000000000000000
FS: 0000555559fc7380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f831d7fb0d0 CR3: 000000007f1c2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rxrpc_do_sendmsg+0x1569/0x1910 net/rxrpc/sendmsg.c:763
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
___sys_sendmsg net/socket.c:2637 [inline]
__sys_sendmsg+0x269/0x350 net/socket.c:2669
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f831d783ab9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd37defc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f831d783ab9
RDX: 0000000000008880 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007f831d7cd0fd R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f831d7d213c
R13: 00007f831d7cd082 R14: 0000000000000001 R15: 0000000000000001
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has bisected this issue to:

commit b341a0263b1b804d329f864c2dc24815364510ec
Author: David Howells <dhow...@redhat.com>
Date: Wed Dec 4 07:46:46 2024 +0000

rxrpc: Implement progressive transmission queue struct

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17bbeb30580000
start commit: e58b4771af2b Merge branch 'vxlan-support-user-defined-rese..
git tree: net-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=147beb30580000
console output: https://syzkaller.appspot.com/x/log.txt?x=107beb30580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1362a5aee630ff34
dashboard link: https://syzkaller.appspot.com/bug?extid=ff11be94dfcd7a5af8da

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14cb93e8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a3d4df980000

Reported-by: syzbot+ff11be...@syzkaller.appspotmail.com
Fixes: b341a0263b1b ("rxrpc: Implement progressive transmission queue struct")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Lizhi Xu]

Clean up tx buf and sendmsg race ?

#syz test

diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index 5a543c3f6fb0..35be886b38c4 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -545,6 +545,7 @@ static void rxrpc_cleanup_tx_buffers(struct rxrpc_call *call)
trace_rxrpc_tq(call, tq, 0, rxrpc_tq_cleaned);
kfree(tq);
}
+ call->tx_queue = NULL;
}

/*

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in rxrpc_send_data

------------[ cut here ]------------
WARNING: CPU: 1 PID: 6894 at net/rxrpc/sendmsg.c:296 rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
WARNING: CPU: 1 PID: 6894 at net/rxrpc/sendmsg.c:296 rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390
Modules linked in:
CPU: 1 UID: 0 PID: 6894 Comm: syz.0.74 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024

RIP: 0010:rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
RIP: 0010:rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390

Code: 24 48 48 89 de e8 37 35 ab f6 4c 39 f3 b8 00 fe ff ff 41 bf fc ff ff ff 44 0f 44 f8 45 31 f6 e9 71 fd ff ff e8 38 30 ab f6 90 <0f> 0b 90 48 8b 7c 24 28 e8 4a d0 09 f7 e9 46 fd ff ff 89 d9 80 e1
RSP: 0018:ffffc9000217f3a0 EFLAGS: 00010293
RAX: ffffffff8af441e8 RBX: ffff888064916500 RCX: ffff888030ef5a00
RDX: 0000000000000000 RSI: 00000000000000ff RDI: ffff8880792ee440
RBP: ffffc9000217f650 R08: ffff8880792ee43f R09: 0000000000000000
R10: ffff8880792ee340 R11: ffffed100f25dc88 R12: ffff8880649164c8
R13: 1ffff1100c922c9f R14: ffff8880792ee000 R15: 0000000000000000
FS: 00007fc5a3d7d6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020005c00 CR3: 000000003143c000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rxrpc_do_sendmsg+0x1569/0x1910 net/rxrpc/sendmsg.c:763
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
___sys_sendmsg net/socket.c:2637 [inline]

__sys_sendmmsg+0x36a/0x720 net/socket.c:2726
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc5a2f7ff19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc5a3d7d058 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fc5a3145fa0 RCX: 00007fc5a2f7ff19
RDX: 0000000000000001 RSI: 0000000020005c00 RDI: 0000000000000003
RBP: 00007fc5a2ff3cc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc5a3145fa0 R15: 00007ffd4836f878
</TASK>


Tested on:

commit: 96b6fcc0 Merge branch 'net-dsa-cleanup-eee-part-1'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12b084f8580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1362a5aee630ff34
dashboard link: https://syzkaller.appspot.com/bug?extid=ff11be94dfcd7a5af8da

compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11c2acdf980000

[Lizhi Xu]

#syz test

diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 4974b5accafa..4f5c1b0d9260 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -328,8 +328,8 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
if (tq) {
trace_rxrpc_tq(call, tq, seq, rxrpc_tq_rotate_and_free);
kfree(tq);
- call->tx_queue = NULL;

}
+ call->tx_queue = NULL;
}

_debug("%x,%x,%x,%d", to, call->tx_bottom, call->tx_top, rot_last);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in rxrpc_send_data

------------[ cut here ]------------

WARNING: CPU: 0 PID: 6653 at net/rxrpc/sendmsg.c:296 rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
WARNING: CPU: 0 PID: 6653 at net/rxrpc/sendmsg.c:296 rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390
Modules linked in:
CPU: 0 UID: 0 PID: 6653 Comm: syz.0.16 Not tainted 6.13.0-rc1-syzkaller-00417-gf3674384709b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:rxrpc_alloc_txqueue net/rxrpc/sendmsg.c:296 [inline]
RIP: 0010:rxrpc_send_data+0x2969/0x2b30 net/rxrpc/sendmsg.c:390

Code: 24 48 48 89 de e8 97 35 ab f6 4c 39 f3 b8 00 fe ff ff 41 bf fc ff ff ff 44 0f 44 f8 45 31 f6 e9 71 fd ff ff e8 98 30 ab f6 90 <0f> 0b 90 48 8b 7c 24 28 e8 aa d0 09 f7 e9 46 fd ff ff 89 d9 80 e1
RSP: 0018:ffffc90003d4f3a0 EFLAGS: 00010293
RAX: ffffffff8af44188 RBX: ffff88805a8bce80 RCX: ffff8880263e8000
RDX: 0000000000000000 RSI: 00000000000000ff RDI: ffff888034486440
RBP: ffffc90003d4f650 R08: ffff88803448643f R09: 0000000000000000
R10: ffff888034486340 R11: ffffed1006890c88 R12: ffff88805a8bce48
R13: 1ffff1100b5179cf R14: ffff888034486000 R15: 0000000000000000
FS: 00007fc905bbc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000559e43303950 CR3: 0000000025e2a000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rxrpc_do_sendmsg+0x1569/0x1910 net/rxrpc/sendmsg.c:763
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
___sys_sendmsg net/socket.c:2637 [inline]
__sys_sendmmsg+0x36a/0x720 net/socket.c:2726
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc904d7ff19

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc905bbc058 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fc904f45fa0 RCX: 00007fc904d7ff19

RDX: 0000000000000001 RSI: 0000000020005c00 RDI: 0000000000000003

RBP: 00007fc904df3cc8 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fc904f45fa0 R15: 00007ffcacaf6308
</TASK>


Tested on:

commit: f3674384 Merge branch 'net-smc-two-features-for-smc-r'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17821be8580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1362a5aee630ff34
dashboard link: https://syzkaller.appspot.com/bug?extid=ff11be94dfcd7a5af8da
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17ec1be8580000

[David Howells]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main

diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 0c0a3c89dba3..718193df9d2e 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -571,6 +571,7 @@ enum rxrpc_call_flag {
RXRPC_CALL_RX_LAST, /* Received the last packet (at rxtx_top) */
RXRPC_CALL_TX_LAST, /* Last packet in Tx buffer (at rxtx_top) */
RXRPC_CALL_TX_ALL_ACKED, /* Last packet has been hard-acked */
+ RXRPC_CALL_TX_NO_MORE, /* No more data to transmit (MSG_MORE deasserted) */
RXRPC_CALL_SEND_PING, /* A ping will need to be sent */
RXRPC_CALL_RETRANS_TIMEOUT, /* Retransmission due to timeout occurred */
RXRPC_CALL_BEGAN_RX_TIMER, /* We began the expect_rx_by timer */
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index c4c8b718cafa..0e8da909d4f2 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -266,6 +266,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
/* Order send_top after the queue->next pointer and txb content. */
smp_store_release(&call->send_top, seq);
if (last) {
+ set_bit(RXRPC_CALL_TX_NO_MORE, &call->flags);
rxrpc_notify_end_tx(rx, call, notify_end_tx);
call->send_queue = NULL;
}
@@ -329,6 +330,13 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
bool more = msg->msg_flags & MSG_MORE;
int ret, copied = 0;

+ if (test_bit(RXRPC_CALL_TX_NO_MORE, &call->flags)) {
+ trace_rxrpc_abort(call->debug_id, rxrpc_sendmsg_late_send,
+ call->cid, call->call_id, call->rx_consumed,
+ 0, -EPROTO);
+ return -EPROTO;
+ }
+
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);

ret = rxrpc_wait_to_be_connected(call, &timeo);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ff11be...@syzkaller.appspotmail.com
Tested-by: syzbot+ff11be...@syzkaller.appspotmail.com

Tested on:

commit: f3674384 Merge branch 'net-smc-two-features-for-smc-r'

git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=13a34d44580000

kernel config: https://syzkaller.appspot.com/x/.config?x=1362a5aee630ff34
dashboard link: https://syzkaller.appspot.com/bug?extid=ff11be94dfcd7a5af8da
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=169d4d44580000

Note: testing is done by a robot and is best-effort only.