KASAN: use-after-free Read in tcp_retransmit

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in tcp_retransmit_timer			5	1075d	1150d	0/1	auto-closed as invalid on 2021/09/06 04:07
linux-6.1	KASAN: use-after-free Read in tcp_retransmit_timer			14	18d	37d	0/3	upstream: reported on 2024/03/12 12:56
linux-5.15	KASAN: use-after-free Read in tcp_retransmit_timer (2)			12	29d	178d	0/3	upstream: reported on 2023/10/23 18:56
linux-4.19	KASAN: use-after-free Read in tcp_retransmit_timer			2	1574d	1575d	0/1	auto-closed as invalid on 2020/04/25 09:53
upstream	KASAN: use-after-free Read in tcp_retransmit_timer (2) net			1	1859d	1859d	0/26	closed as invalid on 2019/04/19 21:45
upstream	KASAN: use-after-free Read in tcp_retransmit_timer (5) net	C	unreliable	16000	503d	1515d	22/26	fixed on 2023/02/24 13:50
linux-4.19	KASAN: use-after-free Read in tcp_retransmit_timer (2)			6	1004d	1171d	0/1	auto-closed as invalid on 2021/11/16 03:14
upstream	KASAN: use-after-free Read in tcp_retransmit_timer (3) net			5	1771d	1790d	0/26	closed as invalid on 2019/07/01 18:06
upstream	KASAN: use-after-free Read in tcp_retransmit_timer net			4	1902d	2015d	0/26	closed as invalid on 2019/03/10 18:51
linux-4.19	KASAN: slab-out-of-bounds Read in tcp_retransmit_timer			9	682d	861d	0/1	auto-obsoleted due to no activity on 2022/10/04 11:51
upstream	KASAN: use-after-free Read in tcp_retransmit_timer (4) net			2	1715d	1716d	0/26	closed as invalid on 2019/10/03 04:18
linux-5.15	KASAN: use-after-free Read in tcp_retransmit_timer			76	287d	395d	0/3	auto-obsoleted due to no activity on 2023/09/14 02:10

================================================================== BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2fc3/0x33f0 net/ipv4/tcp_timer.c:480 Read of size 8 at addr ffff88808f41c2b8 by task syz-executor.5/1616 CPU: 1 PID: 1616 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tcp_retransmit_timer+0x2fc3/0x33f0 net/ipv4/tcp_timer.c:480 tcp_write_timer_handler+0x5e6/0xa60 net/ipv4/tcp_timer.c:593 tcp_write_timer+0x103/0x1b0 net/ipv4/tcp_timer.c:613 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1696 [inline] run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709 __do_softirq+0x265/0x980 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x215/0x260 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 </IRQ> RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:lock_is_held_type+0x17a/0x210 kernel/locking/lockdep.c:3948 Code: 00 00 00 00 fc ff df c7 85 84 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 75 63 48 83 3d 45 cc a6 08 00 74 2c 48 89 df 57 9d <0f> 1f 44 00 00 48 83 c4 08 44 89 e0 5b 5d 41 5c c3 48 83 c4 08 41 RSP: 0018:ffff88823100f860 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff13e3051 RBX: 0000000000000286 RCX: 0000000000000001 RDX: dffffc0000000000 RSI: 00000000ffffffff RDI: 0000000000000286 RBP: ffff8880350ae380 R08: 0000000000000001 R09: 00007f8a1a057000 R10: 0000000000000006 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88809bcb2770 R14: ffff8880a3261210 R15: ffff88809ddf7080 lock_is_held include/linux/lockdep.h:344 [inline] ___might_sleep+0x1ea/0x2b0 kernel/sched/core.c:6157 down_write+0x18/0x90 kernel/locking/rwsem.c:69 lock_anon_vma_root mm/rmap.c:238 [inline] unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 free_pgtables+0xe2/0x2f0 mm/memory.c:638 exit_mmap+0x2c8/0x530 mm/mmap.c:3094 __mmput kernel/fork.c:1016 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1037 exit_mm kernel/exit.c:549 [inline] do_exit+0xaec/0x2be0 kernel/exit.c:857 do_group_exit+0x125/0x310 kernel/exit.c:967 get_signal+0x3f2/0x1f70 kernel/signal.c:2589 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8a194065a9 Code: Bad RIP value. RSP: 002b:00007f8a17979218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007f8a19526f88 RCX: 00007f8a194065a9 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f8a19526f8c RBP: 00007f8a19526f80 R08: 000002a46a7cc5d5 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8a19526f8c R13: 00007ffdfbda13cf R14: 00007f8a17979300 R15: 0000000000022000 Allocated by task 8142: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 kmem_cache_zalloc include/linux/slab.h:699 [inline] net_alloc net/core/net_namespace.c:386 [inline] copy_net_ns+0x106/0x340 net/core/net_namespace.c:426 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:206 ksys_unshare+0x36c/0x9a0 kernel/fork.c:2542 __do_sys_unshare kernel/fork.c:2610 [inline] __se_sys_unshare kernel/fork.c:2608 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2608 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 26998: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 net_free net/core/net_namespace.c:402 [inline] net_drop_ns+0x73/0x90 net/core/net_namespace.c:409 cleanup_net+0x64c/0x8b0 net/core/net_namespace.c:572 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff88808f41c080 which belongs to the cache net_namespace of size 8704 The buggy address is located 568 bytes inside of 8704-byte region [ffff88808f41c080, ffff88808f41e280) The buggy address belongs to the page: page:ffffea00023d0700 count:1 mapcount:0 mapping:ffff88823b843e00 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffffea000257c108 ffffea0002437b08 ffff88823b843e00 raw: 0000000000000000 ffff88808f41c080 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808f41c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808f41c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88808f41c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808f41c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808f41c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess), 6 bytes skipped: 0: df c7 ffreep %st(7) 2: 85 84 08 00 00 00 00 test %eax,0x0(%rax,%rcx,1) 9: 00 00 add %al,(%rax) b: 48 c1 e8 03 shr $0x3,%rax f: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) 13: 75 63 jne 0x78 15: 48 83 3d 45 cc a6 08 cmpq $0x0,0x8a6cc45(%rip) # 0x8a6cc62 1c: 00 1d: 74 2c je 0x4b 1f: 48 89 df mov %rbx,%rdi 22: 57 push %rdi 23: 9d popfq * 24: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) <-- trapping instruction 29: 48 83 c4 08 add $0x8,%rsp 2d: 44 89 e0 mov %r12d,%eax 30: 5b pop %rbx 31: 5d pop %rbp 32: 41 5c pop %r12 34: c3 retq 35: 48 83 c4 08 add $0x8,%rsp 39: 41 rex.B

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2022/10/30 17:38	linux-4.19.y	3f8a27f9e27b	2a71366b	.config	console log	report			info	[disk image] [vmlinux]	ci2-linux-4-19	KASAN: use-after-free Read in tcp_retransmit_timer

Crashes (1):

Assets (help?)