Syzkaller hit 'BUG: spinlock already unlocked in inet_csk_reqsk_queue_add' bug.

**【标题描述】能够简要描述问题：说明什么场景下，做了什么操作，出现什么问题（尽量使用正向表达方式）**
syzkaller 模糊测试发现的问题，宕机栈如下
BUG: spinlock already unlocked on CPU#0, ksoftirqd/0/12
 lock: 0xffff8881138c6a70, .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1qmp_cmd_name: qmp_capabilities, arguments: {}
qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 1}
 dump_stack+0x9c/qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 2}
 do_raw_spin_unlock+0x16qmp_cmd_name: human-monitor-command, arguments: {"command-line": "info registers", "cpu-index": 3}
 __raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline]
 _raw_spin_unlock+0x1f/0x30 kernel/locking/spinlock.c:183
 spin_unlock include/linux/spinlock.h:394 [inline]
 inet_csk_reqsk_queue_add+0x1b0/0x250 net/ipv4/inet_connection_sock.c:1005
 tcp_get_cookie_sock+0x1ff/0x4f0 net/ipv4/syncookies.c:221
 cookie_v4_check+0x161b/0x2240 net/ipv4/syncookies.c:453
 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1640 [inline]
 tcp_v4_do_rcv+0x59f/0x7c0 net/ipv4/tcp_ipv4.c:1695
 tcp_v4_rcv+0x3eaa/0x44e0 net/ipv4/tcp_ipv4.c:2060
 ip_protocol_deliver_rcu+0x25a/0x840 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d9/0x260 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_local_deliver+0x17c/0x360 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:459 [inline]
 ip_rcv_finish+0x198/0x2b0 net/ipv4/ip_input.c:435
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_rcv+0xcd/0x240 net/ipv4/ip_input.c:546
 __netif_receive_skb_one_core+0x1a0/0x1f0 net/core/dev.c:5366
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5480
 process_backlog+0x1ec/0x540 net/core/dev.c:6386
 napi_poll+0x23b/0x7c0 net/core/dev.c:6837
 net_rx_action+0x1fe/0x700 net/core/dev.c:6907
 __do_softirq+0x1c3/0x5d9 kernel/softirq.c:298
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x1e/0x30 kernel/softirq.c:646
 smpboot_thread_fn+0x334/0x700 kernel/smpboot.c:164
 kthread+0x2fe/0x410 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
------------[ cut here ]------------
pvqspinlock: lock 0xffff8881138c6a70 has corrupted value 0x0!
WARNING: CPU: 0 PID: 12 at kernel/locking/qspinlock_paravirt.h:498 __pv_queued_spin_unlock_slowpath+0x1eb/0x260 kernel/locking/qspinlock_paravirt.h:498
Modules linked in:
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:__pv_queued_spin_unlock_slowpath+0x1eb/0x260 kernel/locking/qspinlock_paravirt.h:498
Code: ea 03 0f b6 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 70 41 8b 14 24 4c 89 e6 48 c7 c7 c0 cf e9 92 e8 3d be fd 01 <0f> 0b e9 68 ff ff ff 48 89 df 48 89 14 24 e8 72 3b 62 00 48 8b 14
RSP: 0018:ffff888100367470 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 000000001442f64f RCX: 0000000000000000
RDX: ffff888100350000 RSI: 0000000000000008 RDI: ffffed102006ce80
RBP: ffff8881138c6a70 R08: 0000000000000001 R09: ffff88811a401de7
R10: ffffed10234803bc R11: 0000000000000001 R12: ffff8881138c6a70
R13: ffff8881138c6a80 R14: ffff8881138c6a70 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88811a200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000040416003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x24
 .slowpath+0x9/0x16
 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:559 [inline]
 queued_spin_unlock arch/x86/include/asm/qspinlock.h:60 [inline]
 do_raw_spin_unlock+0x149/0x1f0 kernel/locking/spinlock_debug.c:139
 __raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline]
 _raw_spin_unlock+0x1f/0x30 kernel/locking/spinlock.c:183
 spin_unlock include/linux/spinlock.h:394 [inline]
 inet_csk_reqsk_queue_add+0x1b0/0x250 net/ipv4/inet_connection_sock.c:1005
 tcp_get_cookie_sock+0x1ff/0x4f0 net/ipv4/syncookies.c:221
 cookie_v4_check+0x161b/0x2240 net/ipv4/syncookies.c:453
 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1640 [inline]
 tcp_v4_do_rcv+0x59f/0x7c0 net/ipv4/tcp_ipv4.c:1695
 tcp_v4_rcv+0x3eaa/0x44e0 net/ipv4/tcp_ipv4.c:2060
 ip_protocol_deliver_rcu+0x25a/0x840 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d9/0x260 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_local_deliver+0x17c/0x360 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:459 [inline]
 ip_rcv_finish+0x198/0x2b0 net/ipv4/ip_input.c:435
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_rcv+0xcd/0x240 net/ipv4/ip_input.c:546
 __netif_receive_skb_one_core+0x1a0/0x1f0 net/core/dev.c:5366
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5480
 process_backlog+0x1ec/0x540 net/core/dev.c:6386
 napi_poll+0x23b/0x7c0 net/core/dev.c:6837
 net_rx_action+0x1fe/0x700 net/core/dev.c:6907
 __do_softirq+0x1c3/0x5d9 kernel/softirq.c:298
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x1e/0x30 kernel/softirq.c:646
 smpboot_thread_fn+0x334/0x700 kernel/smpboot.c:164
 kthread+0x2fe/0x410 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
---[ end trace 49faeb4e945e7234 ]---
net_ratelimit: 7373 callbacks suppressed
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies.  Check SNMP counters.
net_ratelimit: 8284 callbacks suppressed
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20003. Sending cookies.  Check SNMP counters.

Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @empty}, 0x1c)
listen(r0, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000040)={0xa, 0x4e23, 0x0, @ipv4={'\x00', '\xff\xff', @empty}}, 0x1c)
shutdown(r0, 0x0)
listen(r0, 0x7fffffff)

**【环境信息】**
硬件信息
- qemu 配置
	"vm": {
		"count": 4,
		"kernel": "/xxxx/kernel/arch/x86/boot/bzImage",
		"cmdline": "net.ifnames=0",
		"cpu": 4,
		"mem": 4096
	}

软件信息
- OS版本及分支信息
openEuler-22.03-LTS-SP1
- 内核信息
openEuler-22.03-LTS-SP1
- 发现问题的组件版本信息

- 如果有特殊组网，请提供网络拓扑信息

---

GVP openEuler/kernel

内容风险标识

评论 (16)

GVPopenEuler/kernel

内容风险标识