syzbot


KASAN: use-after-free Read in tcp_sk_exit (2)

Status: closed as invalid on 2022/01/11 13:53
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 521d, last: 404d

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in tcp_sk_exit 7 1269d 1400d 0/24 auto-closed as invalid on 2019/10/25 08:37
android-5-10 general protection fault in tcp_sk_exit 1 243d 243d 0/2 auto-closed as invalid on 2022/07/07 14:15
android-5-10 general protection fault in tcp_sk_exit (2) 1 143d 143d 0/2 auto-obsoleted due to no activity on 2022/10/15 01:07

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
BUG: KASAN: use-after-free in tcp_sk_exit+0x2a4/0x2e0 net/ipv4/tcp_ipv4.c:2868
Read of size 8 at addr ffff88807bbf29c0 by task kworker/u4:1/10

CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 tcp_sk_exit+0x2a4/0x2e0 net/ipv4/tcp_ipv4.c:2868
 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 26470:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2956 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2969
 sk_prot_alloc+0x5f/0x290 net/core/sock.c:1802
 sk_alloc+0x32/0xbc0 net/core/sock.c:1861
 inet_create net/ipv4/af_inet.c:322 [inline]
 inet_create+0x395/0xea0 net/ipv4/af_inet.c:248
 __sock_create+0x353/0x790 net/socket.c:1450
 inet_ctl_sock_create+0x88/0x1d0 net/ipv4/af_inet.c:1654
 icmp_sk_init net/ipv4/icmp.c:1460 [inline]
 icmp_sk_init+0xfd/0x500 net/ipv4/icmp.c:1449
 ops_init+0xaf/0x470 net/core/net_namespace.c:140
 setup_net+0x40f/0xa30 net/core/net_namespace.c:333
 copy_net_ns+0x319/0x760 net/core/net_namespace.c:474
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178
 copy_process+0x2cfc/0x74d0 kernel/fork.c:2122
 kernel_clone+0xe7/0xac0 kernel/fork.c:2509
 __do_sys_clone+0xc8/0x110 kernel/fork.c:2626
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 10:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1625 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
 slab_free mm/slub.c:3210 [inline]
 kmem_cache_free+0x8e/0x5a0 mm/slub.c:3226
 sk_prot_free net/core/sock.c:1842 [inline]
 __sk_destruct+0x5a2/0x900 net/core/sock.c:1929
 sk_destruct+0xbd/0xe0 net/core/sock.c:1944
 __sk_free+0xef/0x3d0 net/core/sock.c:1955
 sk_free net/core/sock.c:1966 [inline]
 sock_put include/net/sock.h:1816 [inline]
 sk_common_release+0x292/0x390 net/core/sock.c:3399
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
 __sock_release net/socket.c:648 [inline]
 sock_release+0x87/0x1b0 net/socket.c:676
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 icmp_sk_exit+0x14c/0x280 net/ipv4/icmp.c:1444
 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88807bbf2580
 which belongs to the cache RAW of size 1432
The buggy address is located 1088 bytes inside of
 1432-byte region [ffff88807bbf2580, ffff88807bbf2b18)
The buggy address belongs to the page:
page:ffffea0001eefc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bbf0
head:ffffea0001eefc00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00013df000 0000000200000002 ffff888018f16780
raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26225, ts 358625456759, free_ts 0
 prep_new_page mm/page_alloc.c:2433 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
 alloc_slab_page mm/slub.c:1688 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1828
 new_slab mm/slub.c:1891 [inline]
 new_slab_objects mm/slub.c:2637 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2800
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2969
 sk_prot_alloc+0x5f/0x290 net/core/sock.c:1802
 sk_alloc+0x32/0xbc0 net/core/sock.c:1861
 inet_create net/ipv4/af_inet.c:322 [inline]
 inet_create+0x395/0xea0 net/ipv4/af_inet.c:248
 __sock_create+0x353/0x790 net/socket.c:1450
 inet_ctl_sock_create+0x88/0x1d0 net/ipv4/af_inet.c:1654
 tcp_sk_init net/ipv4/tcp_ipv4.c:2883 [inline]
 tcp_sk_init+0x102/0x1370 net/ipv4/tcp_ipv4.c:2872
 ops_init+0xaf/0x470 net/core/net_namespace.c:140
 setup_net+0x40f/0xa30 net/core/net_namespace.c:333
 copy_net_ns+0x319/0x760 net/core/net_namespace.c:474
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88807bbf2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807bbf2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bbf2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88807bbf2a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807bbf2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (6):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2021/07/20 11:08 upstream 2734d6c1b1a0 bc48c9ab .config log report syz KASAN: use-after-free Read in tcp_sk_exit
ci-upstream-kasan-gce 2021/08/04 12:17 upstream d5ad8ec3cfb5 6c236867 .config log report info KASAN: use-after-free Read in tcp_sk_exit
ci-upstream-net-kasan-gce 2021/10/29 03:27 net-next f2edaa4ad5d5 be531bb4 .config log report info KASAN: use-after-free Read in tcp_sk_exit
ci-upstream-net-kasan-gce 2021/10/21 15:55 net-next dfcb63ce1de6 c5cb7da8 .config log report info KASAN: use-after-free Read in tcp_sk_exit
ci-upstream-net-kasan-gce 2021/09/06 07:10 net-next 29ce8f970107 d236a457 .config log report info KASAN: use-after-free Read in tcp_sk_exit
ci-upstream-net-kasan-gce 2021/07/04 10:25 net-next 5e437416ff66 55aa55c2 .config log report info KASAN: use-after-free Read in tcp_sk_exit
* Struck through repros no longer work on HEAD.