KASAN: slab-out-of-bounds Read in tcp_out_of

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in tcp_out_of_resources net	17				1	2152d	2152d	0/29	closed as invalid on 2019/10/03 03:38

================================================================== BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:56 [inline] BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:147 [inline] BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:278 [inline] BUG: KASAN: slab-out-of-bounds in tcp_out_of_resources+0x2f8/0x3e0 net/ipv4/tcp_timer.c:112 Read of size 4 at addr ffff88804b856144 by task kworker/1:10/8911 CPU: 1 PID: 8911 Comm: kworker/1:10 Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events iterate_cleanup_work Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 instrument_atomic_read include/linux/instrumented.h:56 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] refcount_read include/linux/refcount.h:147 [inline] check_net include/net/net_namespace.h:278 [inline] tcp_out_of_resources+0x2f8/0x3e0 net/ipv4/tcp_timer.c:112 tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline] tcp_write_timer_handler+0x52c/0xa60 net/ipv4/tcp_timer.c:615 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:631 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413 expire_timers kernel/time/timer.c:1458 [inline] __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755 __run_timers kernel/time/timer.c:1736 [inline] run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768 __do_softirq+0x1f7/0xa91 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 </IRQ> __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77 do_softirq kernel/softirq.c:343 [inline] do_softirq+0x154/0x1b0 kernel/softirq.c:330 __local_bh_enable_ip+0x196/0x1f0 kernel/softirq.c:195 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2226 [inline] nf_ct_iterate_cleanup+0x9e/0x330 net/netfilter/nf_conntrack_core.c:2249 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2334 [inline] nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2319 iterate_cleanup_work+0x45/0x130 net/netfilter/nf_nat_masquerade.c:216 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Allocated by task 9364: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:518 [inline] slab_alloc_node mm/slab.c:3254 [inline] kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574 alloc_task_struct_node kernel/fork.c:169 [inline] dup_task_struct kernel/fork.c:858 [inline] copy_process+0x5d0/0x6920 kernel/fork.c:1916 _do_fork+0xe8/0xb10 kernel/fork.c:2428 __do_sys_clone+0xc8/0x110 kernel/fork.c:2545 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2894 [inline] call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:178 finish_task_switch+0x532/0x750 kernel/sched/core.c:3651 context_switch kernel/sched/core.c:3781 [inline] __schedule+0xeb1/0x2230 kernel/sched/core.c:4527 schedule+0xd0/0x2a0 kernel/sched/core.c:4602 freezable_schedule include/linux/freezer.h:172 [inline] do_nanosleep+0x222/0x650 kernel/time/hrtimer.c:1883 hrtimer_nanosleep+0x1f9/0x430 kernel/time/hrtimer.c:1936 __do_sys_nanosleep kernel/time/hrtimer.c:1970 [inline] __se_sys_nanosleep kernel/time/hrtimer.c:1957 [inline] __x64_sys_nanosleep+0x1dc/0x260 kernel/time/hrtimer.c:1957 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2894 [inline] call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:178 finish_task_switch+0x532/0x750 kernel/sched/core.c:3651 context_switch kernel/sched/core.c:3781 [inline] __schedule+0xeb1/0x2230 kernel/sched/core.c:4527 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:4683 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40 __local_bh_enable_ip+0x1a0/0x1f0 kernel/softirq.c:202 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2226 [inline] nf_ct_iterate_cleanup+0x9e/0x330 net/netfilter/nf_conntrack_core.c:2249 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2334 [inline] nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2319 masq_device_event+0xae/0xe0 net/netfilter/nf_nat_masquerade.c:88 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033 call_netdevice_notifiers_extack net/core/dev.c:2045 [inline] call_netdevice_notifiers net/core/dev.c:2059 [inline] dev_close_many+0x30b/0x650 net/core/dev.c:1634 rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261 rollback_registered net/core/dev.c:9329 [inline] unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410 unregister_netdevice include/linux/netdevice.h:2774 [inline] __tun_detach+0xff6/0x1310 drivers/net/tun.c:691 tun_detach drivers/net/tun.c:708 [inline] tun_chr_close+0xd9/0x180 drivers/net/tun.c:3408 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:163 [inline] exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88804b856380 which belongs to the cache task_struct of size 6400 The buggy address is located 572 bytes to the left of 6400-byte region [ffff88804b856380, ffff88804b857c80) The buggy address belongs to the page: page:00000000523c0ed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4b856 head:00000000523c0ed5 order:1 compound_mapcount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00011a1108 ffffea0000d4db08 ffff88821bc47400 raw: 0000000000000000 ffff88804b856380 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804b856000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804b856080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88804b856100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88804b856180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804b856200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================