syzkaller: divide error in `__tcp_select_window`

[cpaasch]

HEAD: de5e8fd

syzkaller-id: e4d528e2abf5f9ab3d895e5021c40a119902b080

Trace:

divide error: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018
Code: 41 01 dc 44 89 e7 e8 d3 5f 0c ff 41 39 ec 0f 8d 6b ff ff ff e8 55 65 0c ff 89 eb e9 5f ff ff ff e8 49 65 0c ff 89 e8 89 eb 99 <41> f7 fe 29 d3 e9 4b ff ff ff e8 35 65 0c ff 89 e9 f7 d9 41 d3 fc
RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004
RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000
R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 tcp_select_window net/ipv4/tcp_output.c:262 [inline]
 __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345
 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]
 tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459
 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]
 mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705
 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390
 worker_thread+0x5b/0x610 kernel/workqueue.c:2537
 kthread+0x138/0x170 kernel/kthread.c:376
 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018
Code: 41 01 dc 44 89 e7 e8 d3 5f 0c ff 41 39 ec 0f 8d 6b ff ff ff e8 55 65 0c ff 89 eb e9 5f ff ff ff e8 49 65 0c ff 89 e8 89 eb 99 <41> f7 fe 29 d3 e9 4b ff ff ff e8 35 65 0c ff 89 e9 f7 d9 41 d3 fc
RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004
RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000
R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	41 01 dc             	add    %ebx,%r12d
   3:	44 89 e7             	mov    %r12d,%edi
   6:	e8 d3 5f 0c ff       	callq  0xff0c5fde
   b:	41 39 ec             	cmp    %ebp,%r12d
   e:	0f 8d 6b ff ff ff    	jge    0xffffff7f
  14:	e8 55 65 0c ff       	callq  0xff0c656e
  19:	89 eb                	mov    %ebp,%ebx
  1b:	e9 5f ff ff ff       	jmpq   0xffffff7f
  20:	e8 49 65 0c ff       	callq  0xff0c656e
  25:	89 e8                	mov    %ebp,%eax
  27:	89 eb                	mov    %ebp,%ebx
  29:	99                   	cltd
* 2a:	41 f7 fe             	idiv   %r14d <-- trapping instruction
  2d:	29 d3                	sub    %edx,%ebx
  2f:	e9 4b ff ff ff       	jmpq   0xffffff7f
  34:	e8 35 65 0c ff       	callq  0xff0c656e
  39:	89 e9                	mov    %ebp,%ecx
  3b:	f7 d9                	neg    %ecx
  3d:	41 d3 fc             	sar    %cl,%r12d

syz-repro:

# {Threaded:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f0000000040)={0x2, 0x4e24, @empty}, 0x10)
listen(r0, 0x0)
setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000000), 0x4)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmsg$inet(r1, &(0x7f0000000440)={&(0x7f00000000c0)={0x2, 0x4e24, @loopback}, 0x10, 0x0, 0x0, &(0x7f0000000080)=ANY=[], 0xc0}, 0x34000004)
sendmmsg$inet(r1, &(0x7f00000032c0)=[{{0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000640)="c7dc7ea482d3a432836603561ced1483a8e7605bf32db2fe68afeb6cab8560ac394d7fdd0b6fba7d6d3287ec51dbdf860df96c9268f930a6e3a586e8684a5d3e5409c487f64f610b8f2351412c0132a87f1d6178278b9a9f923702d4a829429d640e1605e592885163631608c1464ae35eb4191d9f381811acc676860c3b4bc3b231930d4d9d3cadd560bd4544db5164f4d360a8a2ee8e07dd61483a92527d5f7db6df65768aa95145d43698fe9046e7d3b906a4329455fdee5a3d59bec29239ff00c690d5dc02b4107fdfd94b1ef6e1ac216f152cf7fc14ca", 0xd9}, {0x0}, {0x0}, {0x0}], 0x4}}, {{0x0, 0x0, &(0x7f00000011c0)=[{&(0x7f0000000c00)="abb74a731b37f9e629c01b32fa9690b93038d1cffd34229bd4975c09ff20d7843afad91f237588131e0d185769ee1bbbef2cde95bf843bdfd56fff2b97e7e24c6e5db473eaec91f7a60037d9351ab3e7e2956086a3f665fd5150272b3404d40a2251bb867c75f71ce4491131b3e2901ea41d5d3c9a14dace92ae678b0de5bfc12bb40a5732e6acb4e78fe738c237e996fbcf17ddf328ac33ffe834bebb001375d39d920c356bd4e56f6b1acbbccda91ded1a4e5877dc7a9ddbaf65a8371b35717ef3a846cb91e127f1c4be1de2f1872a8be676e63d21070bf03bd6ffd855b94227f935818ab16852ae8db2139eb03905", 0xf0}, {0x0}, {0x0}], 0x3}}], 0x2, 0x0)
r2 = accept4(r0, 0x0, 0x0, 0x0)
dup2(r1, r2)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
sendmsg$inet6(r3, &(0x7f00000004c0)={&(0x7f0000000080)={0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010102}}, 0x1c, &(0x7f0000000440)=[{&(0x7f00000000c0)="f3", 0x1}], 0x1}, 0x0)
listen(r1, 0x7fffffff)

Kconfig:
Kconfig_k5_lockdep.txt

[cpaasch]

Reproducer confirmed!

[cpaasch]

Bisected to: 8571da3

[matttbe]

@cpaasch here is a debug patch from @pabeni (from IRC, just in case you missed the info and not to loose it)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 3a8add6aa74c..d2aa396dfb2c 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2527,6 +2527,10 @@ static void mptcp_check_fastclose(struct mptcp_sock *msk)
 
 		slow = lock_sock_fast(tcp_sk);
 		if (tcp_sk->sk_state != TCP_CLOSE) {
+			if (!inet_csk(tcp_sk)->icsk_ack.rcv_mss)
+				pr_warn("msk state %d server side %d ssk state %d segs in %d",
+					sk->sk_state, msk->pm.server_side, tcp_sk->sk_state,
+					tcp_sk(tcp_sk)->segs_in);
 			tcp_send_active_reset(tcp_sk, GFP_ATOMIC);
 			tcp_set_state(tcp_sk, TCP_CLOSE);
 		}

[cpaasch]

@pabeni

[  855.250944] MPTCP: msk state 10 server side 0 ssk state 10 segs in 0
[  855.251038] divide error: 0000 [#1] PREEMPT SMP

[matttbe]

Is it normal to try to send a RST if the subflow (and msk I guess) is in LISTEN state?