In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix possible stall on recvmsg()
recvmsg() can enter an infinite loop if the caller provides the MSG_WAITALL, the data present in the receive queue is not sufficient to fulfill the request, and no more data is received by the peer.
When the above happens, mptcpwaitdata() will always return with no wait, as the MPTCPDATAREADY flag checked by such function is set and never cleared in such code path.
Leveraging the above syzbot was able to trigger an RCU stall:
rcu: INFO: rcupreempt self-detected stall on CPU rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1 (t=10500 jiffies g=13089 q=109) rcu: rcupreempt kthread starved for 10497 jiffies! g13089 f0x0 RCUGPWAITFQS(5) ->state=0x0 ->cpu=1 rcu: Unless rcupreempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcupreempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000 Call Trace: contextswitch kernel/sched/core.c:4955 [inline] schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 scheduletimeout+0x14a/0x2a0 kernel/time/timer.c:1881 rcugpfqsloop+0x186/0x810 kernel/rcu/tree.c:1955 rcugpkthread+0x1de/0x320 kernel/rcu/tree.c:2128 kthread+0x405/0x4f0 kernel/kthread.c:327 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:295 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytesisnonzero mm/kasan/generic.c:84 [inline] RIP: 0010:memoryisnonzero mm/kasan/generic.c:102 [inline] RIP: 0010:memoryispoisonedn mm/kasan/generic.c:128 [inline] RIP: 0010:memoryispoisoned mm/kasan/generic.c:159 [inline] RIP: 0010:checkregioninline mm/kasan/generic.c:180 [inline] RIP: 0010:kasancheckrange+0xc8/0x180 mm/kasan/generic.c:189 Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283 RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870 RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877 R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000 R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000 FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: instrumentatomicreadwrite include/linux/instrumented.h:101 [inline] testandclearbit include/asm-generic/bitops/instrumented-atomic.h:83 [inline] mptcpreleasecb+0x14a/0x210 net/mptcp/protocol.c:3016 releasesock+0xb4/0x1b0 net/core/sock.c:3204 mptcpwaitdata net/mptcp/protocol.c:1770 [inline] mptcprecvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080 inet6recvmsg+0x11b/0x5e0 net/ipv6/afinet6.c:659 sockrecvmsgnosec net/socket.c:944 [inline] sysrecvmsg+0x527/0x600 net/socket.c:2626 _sysrecvmsg+0x127/0x200 net/socket.c:2670 dorecvmmsg+0x24d/0x6d0 net/socket.c:2764 _sysrecvmmsg net/socket.c:2843 [inline] _dosysrecvmmsg net/socket.c:2866 [inline] _sesysrecvmmsg net/socket.c:2859 [inline] _x64sysrecvmmsg+0x20b/0x260 net/socket.c:2859 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fc200d2 ---truncated---