KASAN: slab-out-of-bounds Read in tcp_out_of

KASAN: slab-out-of-bounds Read in tcp_out_of_resources (2)
Status: auto-closed as invalid on 2020/12/08 08:32
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 406d, last: 406d
similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in tcp_out_of_resources				1	778d	778d	0/22	closed as invalid on 2019/10/03 03:38
Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:56 [inline]
BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:147 [inline]
BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:278 [inline]
BUG: KASAN: slab-out-of-bounds in tcp_out_of_resources+0x2f8/0x3e0 net/ipv4/tcp_timer.c:112
Read of size 4 at addr ffff88804b856144 by task kworker/1:10/8911

CPU: 1 PID: 8911 Comm: kworker/1:10 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events iterate_cleanup_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_read include/linux/instrumented.h:56 [inline]
 atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
 refcount_read include/linux/refcount.h:147 [inline]
 check_net include/net/net_namespace.h:278 [inline]
 tcp_out_of_resources+0x2f8/0x3e0 net/ipv4/tcp_timer.c:112
 tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
 tcp_write_timer_handler+0x52c/0xa60 net/ipv4/tcp_timer.c:615
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:631
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
 expire_timers kernel/time/timer.c:1458 [inline]
 __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
 __run_timers kernel/time/timer.c:1736 [inline]
 run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
 __do_softirq+0x1f7/0xa91 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:343 [inline]
 do_softirq+0x154/0x1b0 kernel/softirq.c:330
 __local_bh_enable_ip+0x196/0x1f0 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 get_next_corpse net/netfilter/nf_conntrack_core.c:2226 [inline]
 nf_ct_iterate_cleanup+0x9e/0x330 net/netfilter/nf_conntrack_core.c:2249
 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2334 [inline]
 nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2319
 iterate_cleanup_work+0x45/0x130 net/netfilter/nf_nat_masquerade.c:216
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 9364:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc_node mm/slab.c:3254 [inline]
 kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574
 alloc_task_struct_node kernel/fork.c:169 [inline]
 dup_task_struct kernel/fork.c:858 [inline]
 copy_process+0x5d0/0x6920 kernel/fork.c:1916
 _do_fork+0xe8/0xb10 kernel/fork.c:2428
 __do_sys_clone+0xc8/0x110 kernel/fork.c:2545
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2894 [inline]
 call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968
 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:178
 finish_task_switch+0x532/0x750 kernel/sched/core.c:3651
 context_switch kernel/sched/core.c:3781 [inline]
 __schedule+0xeb1/0x2230 kernel/sched/core.c:4527
 schedule+0xd0/0x2a0 kernel/sched/core.c:4602
 freezable_schedule include/linux/freezer.h:172 [inline]
 do_nanosleep+0x222/0x650 kernel/time/hrtimer.c:1883
 hrtimer_nanosleep+0x1f9/0x430 kernel/time/hrtimer.c:1936
 __do_sys_nanosleep kernel/time/hrtimer.c:1970 [inline]
 __se_sys_nanosleep kernel/time/hrtimer.c:1957 [inline]
 __x64_sys_nanosleep+0x1dc/0x260 kernel/time/hrtimer.c:1957
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Second to last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2894 [inline]
 call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968
 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:178
 finish_task_switch+0x532/0x750 kernel/sched/core.c:3651
 context_switch kernel/sched/core.c:3781 [inline]
 __schedule+0xeb1/0x2230 kernel/sched/core.c:4527
 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:4683
 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
 __local_bh_enable_ip+0x1a0/0x1f0 kernel/softirq.c:202
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 get_next_corpse net/netfilter/nf_conntrack_core.c:2226 [inline]
 nf_ct_iterate_cleanup+0x9e/0x330 net/netfilter/nf_conntrack_core.c:2249
 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2334 [inline]
 nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2319
 masq_device_event+0xae/0xe0 net/netfilter/nf_nat_masquerade.c:88
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033
 call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
 call_netdevice_notifiers net/core/dev.c:2059 [inline]
 dev_close_many+0x30b/0x650 net/core/dev.c:1634
 rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261
 rollback_registered net/core/dev.c:9329 [inline]
 unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410
 unregister_netdevice include/linux/netdevice.h:2774 [inline]
 __tun_detach+0xff6/0x1310 drivers/net/tun.c:691
 tun_detach drivers/net/tun.c:708 [inline]
 tun_chr_close+0xd9/0x180 drivers/net/tun.c:3408
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:163 [inline]
 exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190
 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88804b856380
 which belongs to the cache task_struct of size 6400
The buggy address is located 572 bytes to the left of
 6400-byte region [ffff88804b856380, ffff88804b857c80)
The buggy address belongs to the page:
page:00000000523c0ed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4b856
head:00000000523c0ed5 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00011a1108 ffffea0000d4db08 ffff88821bc47400
raw: 0000000000000000 ffff88804b856380 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88804b856000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804b856080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804b856100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff88804b856180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804b856200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2020/09/09 08:26	upstream	612ab8ad6414	abf9ba4f	.config	log	report