Re: [tcp] 4057037535: WARNING:at_include/net/tcp.h:#tcp_clean_rtx_queue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Apr 24, 2022 at 6:29 PM kernel test robot <oliver.sang@xxxxxxxxx> wrote:
>
>
>
> Greeting,
>
> FYI, we noticed the following commit (built with gcc-11):
>
> commit: 40570375356c874b1578e05c1dcc3ff7c1322dbe ("tcp: add accessors to read/set tp->snd_cwnd")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> in testcase: syzkaller
> version:
> with following parameters:
>
>         runtime: 1800s
>         crash_id: 1e0a1e088f3d3b25620f291e7486b87e64cdf356
>
>
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
>
>
> [ 31.496199][ C1] WARNING: CPU: 1 PID: 1254 at include/net/tcp.h:1217 tcp_clean_rtx_queue+0x224e/0x28c0
> [   31.498766][    C1] Modules linked in: ip6_vti xfrm6_tunnel ip_vti ip_gre ipip sit tunnel4 ip_tunnel 8021q garp mrp veth dummy vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun bochs drm_vram_helper drm_ttm_helper ttm sr_mod drm_kms_helper cdrom sg syscopyarea sysfillrect ata_generic sysimgblt fb_sys_fops intel_rapl_msr intel_rapl_common crct10dif_pclmul ppdev crc32_pclmul ata_piix crc32c_intel ghash_clmulni_intel rapl drm libata ipmi_devintf ipmi_msghandler joydev parport_pc serio_raw i2c_piix4 parport ip_tables
> [   31.511179][    C1] CPU: 1 PID: 1254 Comm: repro Not tainted 5.18.0-rc1-00028-g40570375356c #1
> [   31.513565][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> [ 31.516157][ C1] RIP: tcp_clean_rtx_queue+0x224e/0x28c0
> [ 31.518892][ C1] Code: 75 ea ff ff 48 89 ef 89 14 24 e8 8d f6 8e fe 8b 14 24 e9 c9 ea ff ff 4c 89 f7 89 14 24 e8 7a f6 8e fe 8b 14 24 e9 ee ea ff ff <0f> 0b e9 cd f7 ff ff 4c 89 8c 24 80 00 00 00 48 89 44 24 78 48 89
> All code
> ========
>    0:   75 ea                   jne    0xffffffffffffffec
>    2:   ff                      (bad)
>    3:   ff 48 89                decl   -0x77(%rax)
>    6:   ef                      out    %eax,(%dx)
>    7:   89 14 24                mov    %edx,(%rsp)
>    a:   e8 8d f6 8e fe          callq  0xfffffffffe8ef69c
>    f:   8b 14 24                mov    (%rsp),%edx
>   12:   e9 c9 ea ff ff          jmpq   0xffffffffffffeae0
>   17:   4c 89 f7                mov    %r14,%rdi
>   1a:   89 14 24                mov    %edx,(%rsp)
>   1d:   e8 7a f6 8e fe          callq  0xfffffffffe8ef69c
>   22:   8b 14 24                mov    (%rsp),%edx
>   25:   e9 ee ea ff ff          jmpq   0xffffffffffffeb18
>   2a:*  0f 0b                   ud2             <-- trapping instruction
>   2c:   e9 cd f7 ff ff          jmpq   0xfffffffffffff7fe
>   31:   4c 89 8c 24 80 00 00    mov    %r9,0x80(%rsp)
>   38:   00
>   39:   48 89 44 24 78          mov    %rax,0x78(%rsp)
>   3e:   48                      rex.W
>   3f:   89                      .byte 0x89
>
> Code starting with the faulting instruction
> ===========================================
>    0:   0f 0b                   ud2
>    2:   e9 cd f7 ff ff          jmpq   0xfffffffffffff7d4
>    7:   4c 89 8c 24 80 00 00    mov    %r9,0x80(%rsp)
>    e:   00
>    f:   48 89 44 24 78          mov    %rax,0x78(%rsp)
>   14:   48                      rex.W
>   15:   89                      .byte 0x89
> [   31.527983][    C1] RSP: 0018:ffffc90000188558 EFLAGS: 00010246
> [   31.530575][    C1] RAX: 0000000000000000 RBX: ffff88810c710000 RCX: 1ffff110218e209f
> [   31.533389][    C1] RDX: 0000000000004fdc RSI: 0000000000008219 RDI: ffffffff9b66bf12
> [   31.536156][    C1] RBP: ffff88810c7106bc R08: ffff88810c710658 R09: ffffc900001887b0
> [   31.539244][    C1] R10: 0000000000000000 R11: ffff8881982c4028 R12: ffff88810c7104f8
> [   31.543472][    C1] R13: 0000000000001004 R14: ffff88810c710684 R15: ffffc90000188780
> [   31.546255][    C1] FS:  00007f3f1ee4d540(0000) GS:ffff888398700000(0000) knlGS:0000000000000000
> [   31.550168][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   31.553203][    C1] CR2: 00007ffce7024198 CR3: 00000001991a8000 CR4: 00000000000406e0
> [   31.556803][    C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   31.560524][    C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   31.563664][    C1] Call Trace:
> [   31.566375][    C1]  <IRQ>

I am not sure if this gcc-11 specific, but I find this stack trace unusable.

I think I will wait for a regular syzbot report to investigate this, as planned.

Thanks.


> [ 31.568872][ C1] ? process_backlog (include/linux/netdevice.h:3099 net/core/dev.c:5853)
> [ 31.571598][ C1] ? __napi_poll (net/core/dev.c:6417)
> [ 31.574512][ C1] ? net_rx_action (net/core/dev.c:6486 net/core/dev.c:6571)
> [ 31.582096][ C1] ? tcp_ack_update_rtt (net/ipv4/tcp_input.c:3219)
> [ 31.585096][ C1] ? ip_output (net/ipv4/ip_output.c:422)
> [ 31.588205][ C1] ? __ip_queue_xmit (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:726 net/ipv4/ip_output.c:533)
> [ 31.591309][ C1] ? __tcp_transmit_skb (net/ipv4/tcp_output.c:1402 (discriminator 4))
> [ 31.594438][ C1] ? tcp_rcv_established (net/ipv4/tcp_input.c:5542 net/ipv4/tcp_input.c:5971)
> [ 31.602140][ C1] ? tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1706)
> [ 31.605173][ C1] ? __release_sock (include/net/sock.h:1051 net/core/sock.c:2794)
> [ 31.608262][ C1] ? __sk_flush_backlog (include/linux/spinlock.h:394 net/core/sock.c:2815)
> [ 31.611199][ C1] ? tcp_sendmsg_locked (net/ipv4/tcp.c:1295)
> [ 31.614237][ C1] tcp_ack (net/ipv4/tcp_input.c:3864)
> [ 31.616988][ C1] ? tcp_rearm_rto (net/ipv4/tcp_input.c:3738)
> [ 31.619946][ C1] ? skb_try_coalesce (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 include/linux/skbuff.h:1866 include/linux/skbuff.h:1863 net/core/skbuff.c:5276)
> [ 31.622949][ C1] ? skb_release_data (net/core/skbuff.c:677)
> [ 31.625850][ C1] ? __ip_queue_xmit (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:726 net/ipv4/ip_output.c:533)
> [ 31.628741][ C1] ? tcp_reset (net/ipv4/tcp_input.c:5668)
> [ 31.631546][ C1] ? kvm_clock_get_cycles (arch/x86/include/asm/preempt.h:85 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86)
> [ 31.646267][ C1] tcp_rcv_established (net/ipv4/tcp_input.c:5959)
> [ 31.649621][ C1] ? __inet_lookup_established (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:560 include/linux/refcount.h:157 include/linux/refcount.h:227 include/linux/refcount.h:245 net/ipv4/inet_hashtables.c:415)
> [ 31.652688][ C1] ? tcp_inbound_md5_hash (net/ipv4/tcp.c:4467)
> [ 31.655694][ C1] ? tcp_data_queue (net/ipv4/tcp_input.c:5800)
> [ 31.658687][ C1] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
> [ 31.661532][ C1] tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1706)
> [ 31.664236][ C1] tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2074)
> [ 31.667214][ C1] ? tcp_v4_early_demux (net/ipv4/tcp_ipv4.c:1912)
> [ 31.669880][ C1] ? dst_destroy (net/core/dst.c:127)
> [ 31.672397][ C1] ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))
> [ 31.674945][ C1] ? rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2542)
> [ 31.677311][ C1] ip_local_deliver_finish (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:726 net/ipv4/ip_input.c:234)
> [ 31.679790][ C1] ip_local_deliver (net/ipv4/ip_input.c:243)
> [ 31.682152][ C1] ? ip_local_deliver_finish (net/ipv4/ip_input.c:243)
> [ 31.684557][ C1] ? __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/irq.h:142 kernel/softirq.c:559)
> [ 31.686768][ C1] ? __irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:637)
> [ 31.689060][ C1] ? sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14))
> [ 31.691618][ C1] ? asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:645)
> [ 31.693927][ C1] ? finish_task_switch+0x1c1/0x740
> [ 31.697029][ C1] ? memset (mm/kasan/shadow.c:44)
> [ 31.699095][ C1] ? ip_rcv_core (net/ipv4/ip_input.c:523)
> [ 31.701275][ C1] ip_rcv (include/net/dst.h:461 net/ipv4/ip_input.c:437 include/linux/netfilter.h:307 include/linux/netfilter.h:301 net/ipv4/ip_input.c:556)
> [ 31.703312][ C1] ? ip_rcv_finish (net/ipv4/ip_input.c:549)
> [ 31.705353][ C1] ? refcount_dec_not_one (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:552 lib/refcount.c:91)
> [ 31.707466][ C1] ? refcount_warn_saturate (lib/refcount.c:75)
> [ 31.709493][ C1] ? preferred_group_nid (kernel/sched/fair.c:717)
> [ 31.711630][ C1] ? update_load_avg (kernel/sched/fair.c:3647 kernel/sched/fair.c:3902)
> [ 31.715378][ C1] ? ip_rcv_finish (net/ipv4/ip_input.c:549)
> [ 31.717604][ C1] __netif_receive_skb_one_core (net/core/dev.c:5409 (discriminator 4))
> [ 31.719774][ C1] ? __netif_receive_skb_list_core (net/core/dev.c:5402)
> [ 31.722020][ C1] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170)
> [ 31.724095][ C1] ? dst_destroy (net/core/dst.c:127)
> [ 31.726154][ C1] process_backlog (include/linux/netdevice.h:3099 net/core/dev.c:5853)
> [ 31.728229][ C1] __napi_poll (net/core/dev.c:6417)
> [ 31.730278][ C1] net_rx_action (net/core/dev.c:6486 net/core/dev.c:6571)
> [ 31.732301][ C1] ? napi_threaded_poll (net/core/dev.c:6549)
> [ 31.735070][ C1] ? sched_clock_cpu (kernel/sched/clock.c:369)
> [ 31.737088][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/irq.h:142 kernel/softirq.c:559)
> [ 31.739099][ C1] do_softirq (kernel/softirq.c:459 kernel/softirq.c:446)
> [   31.741070][    C1]  </IRQ>
> [   31.744856][    C1]  <TASK>
> [ 31.746699][ C1] ? inet_send_prepare (net/ipv4/af_inet.c:813)
> [ 31.748725][ C1] __local_bh_enable_ip (kernel/softirq.c:383)
> [ 31.750696][ C1] tcp_sendmsg (net/ipv4/tcp.c:1453)
> [ 31.753196][ C1] sock_sendmsg (net/socket.c:705 net/socket.c:725)
> [ 31.755383][ C1] ____sys_sendmsg (net/socket.c:2413)
> [ 31.757403][ C1] ? kernel_sendmsg (net/socket.c:2360)
> [ 31.759426][ C1] ? __ia32_sys_recvmmsg (net/socket.c:2435)
> [ 31.761464][ C1] ? kasan_save_stack (mm/kasan/common.c:40)
> [ 31.764008][ C1] ? kasan_save_stack (mm/kasan/common.c:39)
> [ 31.766031][ C1] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
> [ 31.768054][ C1] ? kmem_cache_alloc (mm/slab.h:749 mm/slub.c:3217 mm/slub.c:3225 mm/slub.c:3232 mm/slub.c:3242)
> [ 31.770051][ C1] ? __alloc_file (fs/file_table.c:139)
> [ 31.772190][ C1] ? alloc_empty_file (fs/file_table.c:187)
> [ 31.774271][ C1] ? alloc_file (fs/file_table.c:229)
> [ 31.776641][ C1] ___sys_sendmsg (net/socket.c:2469)
> [ 31.778655][ C1] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
> [ 31.780781][ C1] ? xa_extract (lib/xarray.c:1454)
> [ 31.782714][ C1] ? sendmsg_copy_msghdr (net/socket.c:2456)
> [ 31.785079][ C1] ? memcg_slab_post_alloc_hook (mm/slab.h:526 (discriminator 2))
> [ 31.787344][ C1] ? sock_i_uid (net/core/sock.c:2429)
> [ 31.789475][ C1] ? inet_csk_update_fastreuse (net/ipv4/inet_connection_sock.c:311)
> [ 31.791556][ C1] ? kmem_cache_alloc (mm/slub.c:3219 mm/slub.c:3225 mm/slub.c:3232 mm/slub.c:3242)
> [ 31.793634][ C1] ? __fget_light (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 fs/file.c:1032)
> [ 31.795591][ C1] __sys_sendmmsg (net/socket.c:2553)
> [ 31.797545][ C1] ? __ia32_sys_sendmsg (net/socket.c:2514)
> [ 31.800785][ C1] ? __sys_bind (net/socket.c:1697)
> [ 31.802796][ C1] ? __sys_socket (net/socket.c:1542)
> [ 31.804683][ C1] ? compat_sock_ioctl (net/socket.c:1542)
> [ 31.806894][ C1] ? __ia32_sys_read (fs/read_write.c:634)
> [ 31.808854][ C1] __x64_sys_sendmmsg (net/socket.c:2579)
> [ 31.811111][ C1] ? __x64_sys_bind (net/socket.c:1706)
> [ 31.813103][ C1] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> [ 31.815273][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
> [   31.817315][    C1] RIP: 0033:0x7f3f1ed7ef59
> [ 31.819337][ C1] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
> All code
> ========
>    0:   00 c3                   add    %al,%bl
>    2:   66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
>    9:   00 00 00
>
>
> To reproduce:
>
>         # build kernel
>         cd linux
>         cp config-5.18.0-rc1-00028-g40570375356c .config
>         make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
>         make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
>         cd <mod-install-dir>
>         find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
>
>
>         git clone https://github.com/intel/lkp-tests.git
>         cd lkp-tests
>         bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
>
>         # if come across any failure that blocks the test,
>         # please remove ~/.lkp and /lkp dir to run from a clean state.
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://01.org/lkp
>
>





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux