[syzkaller] WARNING in dst_release

[cpaasch]

------------[ cut here ]------------
dst_release underflow
WARNING: CPU: 1 PID: 31525 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175
Modules linked in:
CPU: 1 PID: 31525 Comm: syz-executor.0 Not tainted 5.11.0-rc7f374f2f1ba83541d8c7efc56de08c6122856621c #86
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:dst_release+0xc1/0xd0 net/core/dst.c:175
Code: 89 c3 89 c6 e8 a0 94 79 ff 85 db 74 a5 e9 2b 9c 25 00 e8 12 8f 79 ff 48 c7 c7 d3 88 4c 82 c6 05 1a f8 dd 00 01 e8 4e aa 20 00 <0f> 0b eb c6 90 66 2e 0f 1f 84 00 00 00 00 00 41 54 55 48 89 fd 53
RSP: 0018:ffffc90001bafbb0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc9000acd9000
RDX: 0000000000040000 RSI: ffffffff810e4fe3 RDI: 0000000000000003
RBP: ffff88813bd2a080 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff811bd6b3 R11: 0000000000000000 R12: 00000000ffffffff
R13: ffff88812ead50c0 R14: 0000000000000001 R15: ffff88801d70de80
FS:  00007ff4bac39700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff4bac38ef8 CR3: 00000001213cc002 CR4: 0000000000170ee0
Call Trace:
 rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503
 rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612
 __mkroute_output net/ipv4/route.c:2484 [inline]
 ip_route_output_key_hash_rcu+0x4e2/0xd80 net/ipv4/route.c:2684
 ip_route_output_key_hash+0x7c/0xb0 net/ipv4/route.c:2512
 __ip_route_output_key include/net/route.h:126 [inline]
 ip_route_connect include/net/route.h:319 [inline]
 tcp_v4_connect+0x407/0x6f0 net/ipv4/tcp_ipv4.c:229
 __inet_stream_connect+0x14a/0x5a0 net/ipv4/af_inet.c:667
 inet_stream_connect+0x37/0x50 net/ipv4/af_inet.c:731
 mptcp_stream_connect+0x78/0x270 net/mptcp/protocol.c:3225
 __sys_connect_file net/socket.c:1835 [inline]
 __sys_connect+0x148/0x170 net/socket.c:1852
 __do_sys_connect net/socket.c:1862 [inline]
 __se_sys_connect net/socket.c:1859 [inline]
 __x64_sys_connect+0x18/0x20 net/socket.c:1859
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7ff4ba569469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ff4bac38da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000000002a RCX: 00007ff4ba569469
RDX: 000000000000004d RSI: 0000000020000040 RDI: 0000000000000003
RBP: 000000000000002a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000069c014
R13: 00007fff697fb95f R14: 00007ff4bac19000 R15: 0000000000000003

HEAD is:
f374f2f1ba83 ("mptcp: fix memory accounting on allocation error") (HEAD) (5 days ago)
b118cc0 ("DO-NOT-MERGE: mptcp: enabled by default") (tag: export/20210218T061505, mptcp_net-next/export) (7 days ago)
afb3935 ("DO-NOT-MERGE: mptcp: add GitHub Actions") (7 days ago)
fb66148 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (7 days ago)
ab09cf3 ("selftests: mptcp: add testcases for removing addrs") (7 days ago)
26f4ca2 ("selftests: mptcp: set addr id for removing testcases") (7 days ago)
b16c8fa ("selftests: mptcp: add invert argument for chk_rm_nr") (7 days ago)
5fb7c01 ("mptcp: remove a list of addrs when flushing") (7 days ago)
84f5b28 ("mptcp: remove multi addresses and subflows in PM") (7 days ago)
1343f2e ("mptcp: remove multi subflows in PM") (7 days ago)
f78ff72 ("mptcp: remove multi addresses in PM") (7 days ago)
8be112e ("mptcp: add rm_list_rx in mptcp_pm_data") (7 days ago)
ad3cbae ("mptcp: add rm_list in mptcp_options_received") (7 days ago)
ad2399b ("mptcp: add rm_list_tx in mptcp_pm_data") (7 days ago)
783bf0f ("mptcp: add rm_list in mptcp_out_options") (7 days ago)
d66e083 ("mptcp: drop unused subflow in mptcp_pm_subflow_established") (7 days ago)
da0ff10 ("mptcp: fix DATA_FIN generation on early shutdown") (7 days ago)
1956a17 ("mptcp: clean-up the rtx path") (7 days ago)
3a90e26 ("mptcp: fix race in release_cb") (7 days ago)
08d4b36 ("mptcp: factor out __mptcp_retrans helper()") (7 days ago)
fb4bec1 ("mptcp: dispose initial struct socket when its subflow is closed") (7 days ago)
f5ddfd3 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (7 days ago)
c31680c ("bpf:selftests: add MPTCP test base") (7 days ago)
a03c346 ("bpf: add 'bpf_mptcp_sock' structure and helper") (7 days ago)
b183b48 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (7 days ago)
849dea5 ("linux: handle MPTCP consistently with TCP") (7 days ago)
194cb4e ("x86/build: Disable CET instrumentation in the kernel for 32-bit too") (7 days ago)
3bec5cb ("mptcp: fix DATA_FIN processing for orphaned sockets") (7 days ago)
85b8c8d ("mptcp: provide subflow aware release function") (7 days ago)
c1e8864 ("mptcp: reset last_snd on subflow close") (7 days ago)
38b5133 ("octeontx2-pf: Fix otx2_get_fecparam()") (mptcp_net-next/net-next) (7 days ago)

CONFIG:
CONFIG.txt

No reproducer yet.

[pabeni]

[c&p from IRC]
I think this one shares the same root cause of:
https://marc.info/?l=linux-netdev&m=161358323114502&w=2
If so, should be fixed by:

9b17fa5 mptcp: dispose initial struct socket when its subflow is closed

(that is, the current export branch)

@cpaasch: could you please have a spin on current export?

[cpaasch]

Yes, I am running this branch.

[matttbe]

From the weekly meeting we just had:

• @cpaasch: Not happening for at least a week
• @pabeni: Should be fixed thanks to a patch from @fw-strlen
• Can be closed then