Skip to content

[syzkaller] WARNING in skb_try_coalesce #572

Open
@matttbe

Description

@matttbe

This is not a new issue, I got it ~once a month from April, and it was with TCP only, e.g.

sock: sock_set_timeout: `syz.0.792' (pid 5239) tries to set negative timeout
sock: sock_set_timeout: `syz.0.792' (pid 5239) tries to set negative timeout
netlink: 'syz.1.799': attribute type 27 has an invalid length.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5331 at net/core/skbuff.c:6128 skb_try_coalesce+0x9d8/0xa70 net/core/skbuff.c:6128
Modules linked in:
CPU: 0 UID: 0 PID: 5331 Comm: syz.0.819 Not tainted 6.15.0-rc7-gbf987676298e #12 PREEMPT(voluntary) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:skb_try_coalesce+0x9d8/0xa70 net/core/skbuff.c:6128
Code: 4c 89 fe e8 0a c4 fb fe 4d 85 ff 0f 84 f8 fa ff ff e8 cc cb fb fe 49 8d 46 ff 48 89 44 24 18 e9 e5 fa ff ff e8 b9 cb fb fe 90 <0f> 0b 90 e9 68 fb ff ff e8 ab cb fb fe e8 f6 69 ff ff 48 89 c3 e9
RSP: 0018:ffffc90000d37960 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880233824e8 RCX: ffffffff824962cf
RDX: ffff8880238bc200 RSI: ffffffff82496767 RDI: 0000000000000004
RBP: ffffc90000d37a96 R08: 0000000000000004 R09: 0000000000007ec0
R10: 0000000000008000 R11: 0000000000000000 R12: ffff88800e695ee8
R13: ffff88800c7362c0 R14: 0000000000008000 R15: 0000000000007ec0
FS:  00007ff55bd866c0(0000) GS:ffff88813871c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000270000 CR3: 000000002b2e6000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcp_try_coalesce+0x14a/0x220 net/ipv4/tcp_input.c:4913
 tcp_queue_rcv+0x49/0x160 net/ipv4/tcp_input.c:5181
 tcp_data_queue+0x80a/0x1710 net/ipv4/tcp_input.c:5312
 tcp_rcv_established+0x3ec/0xd40 net/ipv4/tcp_input.c:6308
 tcp_v4_do_rcv+0x293/0x4b0 net/ipv4/tcp_ipv4.c:1925
 sk_backlog_rcv include/net/sock.h:1148 [inline]
 __release_sock+0x129/0x150 net/core/sock.c:3203
 release_sock+0x36/0xd0 net/core/sock.c:3757
 tcp_sendmsg+0x38/0x50 net/ipv4/tcp.c:1397
 inet6_sendmsg+0x5d/0xd0 net/ipv6/af_inet6.c:659
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg net/socket.c:727 [inline]
 ____sys_sendmsg+0x303/0x550 net/socket.c:2566
 ___sys_sendmsg+0xc8/0x130 net/socket.c:2620
 __sys_sendmmsg+0x159/0x300 net/socket.c:2709
 __do_sys_sendmmsg net/socket.c:2736 [inline]
 __se_sys_sendmmsg net/socket.c:2733 [inline]
 __x64_sys_sendmmsg+0x25/0x30 net/socket.c:2733
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x9e/0x1a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff55d7536ed
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff55bd86018 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007ff55d996080 RCX: 00007ff55d7536ed
RDX: 0000000000000002 RSI: 0000200000005180 RDI: 0000000000000006
RBP: 00007ff55d7f7722 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000004000051 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff55d996080 R15: 00007ffd78cb2520
 </TASK>
---[ end trace 0000000000000000 ]---
veth0: default FDB implementation only supports local addresses

syzkaller-logs.txt

But recently, on top of export/20250711T100311 (455f606), I got one with mptcp_try_coalesce:

audit: type=1400 audit(1752371951.394:107): avc:  denied  { recvfrom } for  pid=12741 comm="syz.8.2854" saddr=172.20.20.57 src=20004 daddr=172.20.20.57 dest=20004 netif=lo scontext=system_u:object_r:netlabel_peer_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node permissive=1
A link change request failed with some changes committed already. Interface .4 may have been left with an inconsistent configuration, please check.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 12742 at net/core/skbuff.c:6128 skb_try_coalesce+0x9d8/0xa70 net/core/skbuff.c:6128
Modules linked in:
CPU: 0 UID: 0 PID: 12742 Comm: syz.8.2854 Not tainted 6.16.0-rc5-g455f606172fa #22 PREEMPT(voluntary) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:skb_try_coalesce+0x9d8/0xa70 net/core/skbuff.c:6128
Code: 4c 89 fe e8 1a 5b fa fe 4d 85 ff 0f 84 f8 fa ff ff e8 dc 62 fa fe 49 8d 46 ff 48 89 44 24 18 e9 e5 fa ff ff e8 c9 62 fa fe 90 <0f> 0b 90 e9 68 fb ff ff e8 bb 62 fa fe e8 e6 69 ff ff 48 89 c3 e9
RSP: 0018:ffffc90000cd3ac0 EFLAGS: 00010287
RAX: 00000000000260c0 RBX: ffff888004b75ce8 RCX: ffffc9002aabb000
RDX: 0000000000080000 RSI: ffffffff824b24d7 RDI: 0000000000000004
RBP: ffffc90000cd3b43 R08: 0000000000000004 R09: 0000000000007ec0
R10: 0000000000008000 R11: 0000000000000000 R12: ffff888004b74ae8
R13: ffff88802970dac0 R14: 0000000000008000 R15: 0000000000007ec0
FS:  00007f5014a176c0(0000) GS:ffff888138708000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004d80 CR3: 00000000b61dc000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 mptcp_try_coalesce+0xd4/0x180 net/mptcp/protocol.c:153
 __mptcp_move_skb net/mptcp/protocol.c:333 [inline]
 __mptcp_move_skbs_from_subflow+0x665/0xe20 net/mptcp/protocol.c:635
 __mptcp_move_skbs+0x131/0x280 net/mptcp/protocol.c:2080
 mptcp_release_cb+0x29d/0x560 net/mptcp/protocol.c:3427
 release_sock+0xc7/0xd0 net/core/sock.c:3745
 sk_stream_wait_memory+0x2ae/0x6f0 net/core/stream.c:145
 mptcp_sendmsg+0x515/0xc30 net/mptcp/protocol.c:1852
 inet_sendmsg+0xc0/0xd0 net/ipv4/af_inet.c:851
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 __sys_sendto+0x2a1/0x2f0 net/socket.c:2228
 __do_sys_sendto net/socket.c:2235 [inline]
 __se_sys_sendto net/socket.c:2231 [inline]
 __x64_sys_sendto+0x28/0x30 net/socket.c:2231
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xa4/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f50163c36ad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5014a17018 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f5016605fa0 RCX: 00007f50163c36ad
RDX: fffffffffffffdb0 RSI: 00002000000001c0 RDI: 0000000000000003
RBP: 00007f50164677aa R08: 0000200000000480 R09: 0000000000000010
R10: 0000000020044091 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5016605fa0 R15: 00007ffc8adb8c60
 </TASK>
---[ end trace 0000000000000000 ]---
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56052 sclass=netlink_route_socket pid=12751 comm=syz.2.2857

syzkaller-logs2.txt

Note: this bug is currently not reproducible.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions