Re: [syzbot] [net?] INFO: task hung in lock_sock_nested (5)

[Sabrina Dubroca <sd@queasysnail.net>]

2024-12-26, 01:34:19 -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    9268abe611b0 Merge branch 'net-lan969x-add-rgmii-support'
> git tree:       net-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1760eadf980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b087c24b921cdc16
> dashboard link: https://syzkaller.appspot.com/bug?extid=6ac73b3abf1b598863fa
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=122f74c4580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155c0018580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/8274f60b0163/disk-9268abe6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f7b3fde537e7/vmlinux-9268abe6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/db4cccf7caae/bzImage-9268abe6.xz
> 
> The issue was bisected to:
> 
> commit 47069594e67e882ec5c1d8d374f6aab037511509
> Author: Sabrina Dubroca <sd@queasysnail.net>
> Date:   Thu Dec 12 15:36:05 2024 +0000
> 
>     tls: implement rekey for TLS1.3
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13da8018580000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=103a8018580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17da8018580000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6ac73b3abf1b598863fa@syzkaller.appspotmail.com
> Fixes: 47069594e67e ("tls: implement rekey for TLS1.3")
> 
> INFO: task syz-executor309:5851 blocked for more than 143 seconds.
>       Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor309 state:D stack:28496 pid:5851  tgid:5846  ppid:5845   flags:0x00004006

I'm getting a different (and IMO much more helpful in pointing out the
issue) trace when I run the repro:

BUG: TASK stack guard page was hit at ffffc9000294fff8 (stack is ffffc90002950000..ffffc90002958000)
[...]
Call Trace:
 <#DF>
 ? die+0x32/0x80
 ? handle_stack_overflow+0xa5/0xe0
 ? get_stack_info_noinstr+0x14/0x120
 ? exc_double_fault+0x140/0x180
 ? asm_exc_double_fault+0x1f/0x60
 ? mark_lock+0xfc/0x2370
 ? tls_sw_write_space+0x10/0x150
 </#DF>
 <TASK>
 tls_write_space+0xd4/0x170
 tls_write_space+0xfd/0x170
 tls_write_space+0xfd/0x170

 ... a few hundred more of those lines

 tls_write_space+0xfd/0x170
 tls_write_space+0xfd/0x170
 tls_write_space+0xfd/0x170
 sk_setsockopt+0x1b7a/0x48b0
 ? tracer_preempt_on+0xd7/0x490
 ? __pfx_sk_setsockopt+0x10/0x10
 ? find_held_lock+0x2d/0x110
 ? lock_release+0x44e/0x6f0
 do_sock_setsockopt+0x31e/0x3f0
 ? __pfx_do_sock_setsockopt+0x10/0x10
 ? __fget_files+0x1d9/0x370
 __sys_setsockopt+0x103/0x170
 __x64_sys_setsockopt+0xbe/0x160
 ? do_syscall_64+0x2a/0x140
 ? lockdep_hardirqs_on+0x74/0x100
 do_syscall_64+0x64/0x140
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f0f2fc4b1fd
[...]


I don't know why syzbot is only getting a hung task.


Anyway, good find by syzbot, I missed that when I wrote the rekey
code:

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 9ee5a83c5b40..99ca4465f702 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -737,6 +737,10 @@ static int do_tls_setsockopt_conf(struct sock *sk, sockptr_t optval,
 	else
 		ctx->rx_conf = conf;
 	update_sk_prot(sk, ctx);
+
+	if (update)
+		return 0;
+
 	if (tx) {
 		ctx->sk_write_space = sk->sk_write_space;
 		sk->sk_write_space = tls_write_space;

-- 
Sabrina