[syzkaller] Warning in icsk_get_port #279
Comments
|
Apparently there's an invisible fix: https://lore.kernel.org/netdev/CANn89i+pg8guF+XeOngSMa4vUD81g=u-pCBpi0Yp2WB9PQZvdg@mail.gmail.com/ (I saw some other mailing list context that something mysterious is going on with vger/patchwork not seeing messages from this sender). |
|
I've started syzkaller with this proposed fix applied: https://patchwork.kernel.org/project/netdevbpf/list/?series=646663 |
|
Still reproduced the warning with the v1 fix. It only happened once over two days. Attaching logs: syzkaller-log-mptcp.gz Kernel code is a merge of the export/2F20220526T055531 tag from this repo and net/master from Tuesday (2022-05-31) 09e545f, with the v1 series from Joanna applied. |
|
Another warning after another week; report-warn-2.gz This time, the warning was triggered on a regular TCP socket. |
|
Patches causing this upstream have been reverted |
commit bc056e7 upstream. When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. Cc: stable@kernel.org # 6.4 Fixes: 93cdf49 ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Link: https://lore.kernel.org/r/20230724121059.11834-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Baokun Li <libaokun1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Syzkaller is frequently hitting a warning in
icsk_get_port()This has already been reported by syzbot (sometimes with
mptcp_listen()in the stack trace, but also using other callers), so it appears to be a broader issue, and continues to be encountered by syzbot on net-next. More context:https://lore.kernel.org/netdev/0000000000003f33bc05dfaf44fe@google.com/
https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
Tracking the issue here so we can confirm the fix when it's posted.
In 6 days, it has been encountered over 300 times.
Code is tag
export/20220524T075839merged with net-next from 2022-05-25 (commit 7e062cd).inet_connection_sock.c:525is this:WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);which was introduced by https://lore.kernel.org/netdev/20220520001834.2247810-1-kuba@kernel.org/ (d5a42de)
config-bhash2.gz
log-bhash2.gz
The text was updated successfully, but these errors were encountered: