Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

Closed
mjmartineau opened this issue Oct 22, 2022 · 2 comments
Closed

[syzkaller] Divide by 0 in mptcp_subflow_get_send() #314

mjmartineau opened this issue Oct 22, 2022 · 2 comments
Assignees
@geliangtang

Comments

@mjmartineau
Copy link
Member

Syzkaller has started reporting a divide error in mptcp_subflow_get_send() (three times in 10 minutes). Tag export/20221021T061837.

(I had not been running syzkaller most of the week due to c_start() warnings triggered by a cpumask bug, which prevented any useful syskaller results)

divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
Code: 49 0f af 5d 10 48 c1 ea 03 80 3c 02 00 0f 85 7d 06 00 00 49 8b 94 24 50 03 00 00 44 89 f0 44 89 f9 48 0f af c2 31 d2 48 01 d8 <48> f7 f1 48 8b 14 24 48 c1 ea 03 49 89 45 10 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000e38f370 EFLAGS: 00010216
RAX: 06e5618100000000 RBX: 00003315a7530468 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8411a48a RDI: ffff888034110fd0
RBP: ffffc9000e38f468 R08: 0000000000000000 R09: ffffffff866ebc17
R10: fffffbfff0cdd782 R11: 0000000000000001 R12: ffff888034110c80
R13: ffff88810c145c00 R14: 00000000fff89798 R15: 0000000000000000
FS:  00007f8cc79d3640(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200c7000 CR3: 000000003779c004 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 __mptcp_push_pending+0x19e/0x770 net/mptcp/protocol.c:1550
 mptcp_sendmsg+0x694/0x19d0 net/mptcp/protocol.c:1813
 inet_sendmsg+0x11f/0x150 net/ipv4/af_inet.c:828
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0x141/0x190 net/socket.c:734
 sock_no_sendpage+0x13d/0x1c0 net/core/sock.c:3219
 inet_sendpage+0x106/0x130 net/ipv4/af_inet.c:846
 kernel_sendpage net/socket.c:3561 [inline]
 kernel_sendpage+0x276/0x820 net/socket.c:3555
 sock_sendpage+0x89/0xb0 net/socket.c:1054
 pipe_to_sendpage+0x2b4/0x390 fs/splice.c:361
 splice_from_pipe_feed fs/splice.c:415 [inline]
 __splice_from_pipe+0x46d/0x8b0 fs/splice.c:559
 splice_from_pipe fs/splice.c:594 [inline]
 generic_splice_sendpage+0xda/0x140 fs/splice.c:743
 do_splice_from fs/splice.c:764 [inline]
 direct_splice_actor+0x115/0x190 fs/splice.c:931
 splice_direct_to_actor+0x338/0x8d0 fs/splice.c:886
 do_splice_direct+0x1bd/0x290 fs/splice.c:974
 do_sendfile+0xb18/0x12e0 fs/read_write.c:1255
 __do_sys_sendfile64 fs/read_write.c:1323 [inline]
 __se_sys_sendfile64 fs/read_write.c:1309 [inline]
 __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1309
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8cc8281e7d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8cc79d3028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f8cc83c1050 RCX: 00007f8cc8281e7d
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f8cc82f3593 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000800002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f8cc83c1050 R15: 00007f8cc79b3000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
Code: 49 0f af 5d 10 48 c1 ea 03 80 3c 02 00 0f 85 7d 06 00 00 49 8b 94 24 50 03 00 00 44 89 f0 44 89 f9 48 0f af c2 31 d2 48 01 d8 <48> f7 f1 48 8b 14 24 48 c1 ea 03 49 89 45 10 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000e38f370 EFLAGS: 00010216
RAX: 06e5618100000000 RBX: 00003315a7530468 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8411a48a RDI: ffff888034110fd0
RBP: ffffc9000e38f468 R08: 0000000000000000 R09: ffffffff866ebc17
R10: fffffbfff0cdd782 R11: 0000000000000001 R12: ffff888034110c80
R13: ffff88810c145c00 R14: 00000000fff89798 R15: 0000000000000000
FS:  00007f8cc79d3640(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204b0000 CR3: 000000003779c006 CR4: 0000000000770ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:	49 0f af 5d 10       	imul   0x10(%r13),%rbx
   5:	48 c1 ea 03          	shr    $0x3,%rdx
   9:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   d:	0f 85 7d 06 00 00    	jne    0x690
  13:	49 8b 94 24 50 03 00 	mov    0x350(%r12),%rdx
  1a:	00
  1b:	44 89 f0             	mov    %r14d,%eax
  1e:	44 89 f9             	mov    %r15d,%ecx
  21:	48 0f af c2          	imul   %rdx,%rax
  25:	31 d2                	xor    %edx,%edx
  27:	48 01 d8             	add    %rbx,%rax
* 2a:	48 f7 f1             	div    %rcx <-- trapping instruction
  2d:	48 8b 14 24          	mov    (%rsp),%rdx
  31:	48 c1 ea 03          	shr    $0x3,%rdx
  35:	49 89 45 10          	mov    %rax,0x10(%r13)
  39:	48                   	rex.W
  3a:	b8 00 00 00 00       	mov    $0x0,%eax

Line 1486 of protocol.c is:

	subflow->avg_pacing_rate = div_u64((u64)subflow->avg_pacing_rate * wmem +
					   READ_ONCE(ssk->sk_pacing_rate) * burst,
					   burst + wmem);

So somehow wmem == -burst? (burst is already confirmed as a non-zero value)

report0.gz
log0.gz
config.gz
@geliangtang geliangtang self-assigned this Oct 22, 2022
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Oct 22, 2022
@geliangtang @intel-lab-lkp
mptcp: fix divide error in mptcp_subflow_get_send
3f16957 
Fix this divide error:

----
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
----

Closes: multipath-tcp/mptcp_net-next#314
Reported-by: Mat Martineau <[email protected]>
Signed-off-by: Geliang Tang <[email protected]>
@geliangtang
Copy link
Member

Mat, I just sent a patch to fix this error:
https://patchwork.kernel.org/project/mptcp/patch/[email protected]/

intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Oct 25, 2022
@geliangtang @intel-lab-lkp
Revert "mptcp: add get_subflow wrappers" - fix divide error in mptcp_…
8ec9552 
…subflow_get_send

This reverts commit 8ae8437.

The wrapper mptcp_sched_get_send() will be added in the later patch
"mptcp: use get_send wrapper", and the wrapper mptcp_sched_get_retrans()
will be added in the later patch "mptcp: use get_retrans wrapper".

Fix this divide error:

----
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
----

Closes: multipath-tcp/mptcp_net-next#314
Reported-by: Mat Martineau <[email protected]>
Signed-off-by: Geliang Tang <[email protected]>
matttbe pushed a commit that referenced this issue Oct 31, 2022
@geliangtang @matttbe
Revert "mptcp: add get_subflow wrappers" - fix divide error in mptcp_…
dce423f 
…subflow_get_send

This reverts commit 8ae8437.

The wrapper mptcp_sched_get_send() will be added in the later patch
"mptcp: use get_send wrapper", and the wrapper mptcp_sched_get_retrans()
will be added in the later patch "mptcp: use get_retrans wrapper".

Fix this divide error:

----
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 14336 Comm: syz-executor.6 Not tainted 6.1.0-rc1-00215-g47aa7f23f440 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div_u64_rem include/linux/math64.h:29 [inline]
RIP: 0010:div_u64 include/linux/math64.h:128 [inline]
RIP: 0010:mptcp_subflow_get_send+0xa87/0x1200 net/mptcp/protocol.c:1486
----

Closes: #314
Reported-by: Mat Martineau <[email protected]>
Signed-off-by: Geliang Tang <[email protected]>
Link: https://lore.kernel.org/r/95f77f38e54f9564608e844f507701c04745475b.1666668425.git.geliang.tang@suse.com
Signed-off-by: Matthieu Baerts <[email protected]>
@matttbe
Copy link
Member

matttbe commented Oct 31, 2022

Now in our tree:

Tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20221031T151210

Thank you for the fix!

@matttbe matttbe closed this as completed Oct 31, 2022
matttbe pushed a commit that referenced this issue Mar 27, 2024
@sm00th
arm64: bpf: fix 32bit unconditional bswap
a51cd6b 
In case when is64 == 1 in emit(A64_REV32(is64, dst, dst), ctx) the
generated insn reverses byte order for both high and low 32-bit words,
resuling in an incorrect swap as indicated by the jit test:

[ 9757.262607] test_bpf: #312 BSWAP 16: 0x0123456789abcdef -> 0xefcd jited:1 8 PASS
[ 9757.264435] test_bpf: #313 BSWAP 32: 0x0123456789abcdef -> 0xefcdab89 jited:1 ret 1460850314 != -271733879 (0x5712ce8a != 0xefcdab89)FAIL (1 times)
[ 9757.266260] test_bpf: #314 BSWAP 64: 0x0123456789abcdef -> 0x67452301 jited:1 8 PASS
[ 9757.268000] test_bpf: #315 BSWAP 64: 0x0123456789abcdef >> 32 -> 0xefcdab89 jited:1 8 PASS
[ 9757.269686] test_bpf: #316 BSWAP 16: 0xfedcba9876543210 -> 0x1032 jited:1 8 PASS
[ 9757.271380] test_bpf: #317 BSWAP 32: 0xfedcba9876543210 -> 0x10325476 jited:1 ret -1460850316 != 271733878 (0xa8ed3174 != 0x10325476)FAIL (1 times)
[ 9757.273022] test_bpf: #318 BSWAP 64: 0xfedcba9876543210 -> 0x98badcfe jited:1 7 PASS
[ 9757.274721] test_bpf: #319 BSWAP 64: 0xfedcba9876543210 >> 32 -> 0x10325476 jited:1 9 PASS

Fix this by forcing 32bit variant of rev32.

Fixes: 1104247 ("bpf, arm64: Support unconditional bswap")
Signed-off-by: Artem Savkov <[email protected]>
Tested-by: Puranjay Mohan <[email protected]>
Acked-by: Puranjay Mohan <[email protected]>
Acked-by: Xu Kuohai <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
matttbe pushed a commit that referenced this issue May 20, 2024
@chleroy @mpe
powerpc/bpf/32: Fix failing test_bpf tests
8ecf3c1 
Recent additions in BPF like cpu v4 instructions, test_bpf module
exhibits the following failures:

  test_bpf: #82 ALU_MOVSX | BPF_B jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times)
  test_bpf: #83 ALU_MOVSX | BPF_H jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times)
  test_bpf: #84 ALU64_MOVSX | BPF_B jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times)
  test_bpf: #85 ALU64_MOVSX | BPF_H jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times)
  test_bpf: #86 ALU64_MOVSX | BPF_W jited:1 ret 2 != 1 (0x2 != 0x1)FAIL (1 times)

  test_bpf: #165 ALU_SDIV_X: -6 / 2 = -3 jited:1 ret 2147483645 != -3 (0x7ffffffd != 0xfffffffd)FAIL (1 times)
  test_bpf: #166 ALU_SDIV_K: -6 / 2 = -3 jited:1 ret 2147483645 != -3 (0x7ffffffd != 0xfffffffd)FAIL (1 times)

  test_bpf: #169 ALU_SMOD_X: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times)
  test_bpf: #170 ALU_SMOD_K: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times)

  test_bpf: #172 ALU64_SMOD_K: -7 % 2 = -1 jited:1 ret 1 != -1 (0x1 != 0xffffffff)FAIL (1 times)

  test_bpf: #313 BSWAP 16: 0x0123456789abcdef -> 0xefcd
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 301 PASS
  test_bpf: #314 BSWAP 32: 0x0123456789abcdef -> 0xefcdab89
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 555 PASS
  test_bpf: #315 BSWAP 64: 0x0123456789abcdef -> 0x67452301
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 268 PASS
  test_bpf: #316 BSWAP 64: 0x0123456789abcdef >> 32 -> 0xefcdab89
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 269 PASS
  test_bpf: #317 BSWAP 16: 0xfedcba9876543210 -> 0x1032
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 460 PASS
  test_bpf: #318 BSWAP 32: 0xfedcba9876543210 -> 0x10325476
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 320 PASS
  test_bpf: #319 BSWAP 64: 0xfedcba9876543210 -> 0x98badcfe
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 222 PASS
  test_bpf: #320 BSWAP 64: 0xfedcba9876543210 >> 32 -> 0x10325476
  eBPF filter opcode 00d7 (@2) unsupported
  jited:0 273 PASS

  test_bpf: #344 BPF_LDX_MEMSX | BPF_B
  eBPF filter opcode 0091 (@5) unsupported
  jited:0 432 PASS
  test_bpf: #345 BPF_LDX_MEMSX | BPF_H
  eBPF filter opcode 0089 (@5) unsupported
  jited:0 381 PASS
  test_bpf: #346 BPF_LDX_MEMSX | BPF_W
  eBPF filter opcode 0081 (@5) unsupported
  jited:0 505 PASS

  test_bpf: #490 JMP32_JA: Unconditional jump: if (true) return 1
  eBPF filter opcode 0006 (@1) unsupported
  jited:0 261 PASS

  test_bpf: Summary: 1040 PASSED, 10 FAILED, [924/1038 JIT'ed]

Fix them by adding missing processing.

Fixes: daabb2b ("bpf/tests: add tests for cpuv4 instructions")
Signed-off-by: Christophe Leroy <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Link: https://msgid.link/91de862dda99d170697eb79ffb478678af7e0b27.1709652689.git.christophe.leroy@csgroup.eu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geliangtang geliangtang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matttbe @geliangtang @mjmartineau