syzbot


KASAN: use-after-free Read in tcp_keepalive_timer

Status: auto-closed as invalid on 2020/11/17 07:09
Subsystems: net
[Documentation on labels]
First crash: 1318d, last: 1318d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in tcp_keepalive_timer (2) net 1 872d 872d 0/26 closed as invalid on 2021/12/14 20:02

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in tcp_fin_time include/net/tcp.h:1477 [inline]
BUG: KASAN: use-after-free in tcp_keepalive_timer+0x895/0xe40 net/ipv4/tcp_timer.c:685
Read of size 4 at addr ffff8880a4622784 by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 tcp_fin_time include/net/tcp.h:1477 [inline]
 tcp_keepalive_timer+0x895/0xe40 net/ipv4/tcp_timer.c:685
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
 expire_timers kernel/time/timer.c:1458 [inline]
 __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
 __run_timers kernel/time/timer.c:1736 [inline]
 run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x1f3/0x230 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:765 [inline]
RIP: 0010:___might_sleep+0x155/0x2f0 kernel/sched/core.c:7267
Code: 61 c3 50 08 48 8b 15 5a 7b 9d 0a 48 83 e8 64 48 39 d0 0f 89 3f 76 01 00 48 85 d2 0f 84 36 76 01 00 5b 5d 41 5c 41 5d 41 5e c3 <48> c7 c0 00 36 b6 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80
RSP: 0018:ffffc90000cdf758 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 1ffff110152bd4a7 RSI: ffffffff89bd6280 RDI: ffff8880a95ea538
RBP: ffffffff8904b880 R08: 0000000000000001 R09: ffffffff8c5f19ff
R10: fffffbfff18be33f R11: 0000000000000001 R12: 00000000000008b3
R13: 0000000000000000 R14: ffff8880a95ea1c0 R15: 0000000000000001
 get_next_corpse net/netfilter/nf_conntrack_core.c:2227 [inline]
 nf_ct_iterate_cleanup+0xb1/0x330 net/netfilter/nf_conntrack_core.c:2249
 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2334 [inline]
 nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2319
 masq_device_event+0xae/0xe0 net/netfilter/nf_nat_masquerade.c:88
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033
 call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
 call_netdevice_notifiers net/core/dev.c:2059 [inline]
 dev_close_many+0x30b/0x650 net/core/dev.c:1634
 rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9258
 unregister_netdevice_many.part.0+0x1a/0x2f0 net/core/dev.c:10426
 unregister_netdevice_many+0x36/0x50 net/core/dev.c:10425
 ip_tunnel_delete_nets+0x3da/0x580 net/ipv4/ip_tunnel.c:1125
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:189
 cleanup_net+0x4ea/0xa00 net/core/net_namespace.c:603
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 6862:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc mm/slab.c:3312 [inline]
 kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482
 kmem_cache_zalloc include/linux/slab.h:656 [inline]
 net_alloc net/core/net_namespace.c:417 [inline]
 copy_net_ns+0x12b/0x5e0 net/core/net_namespace.c:469
 create_new_namespaces+0x3f6/0xb10 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231
 ksys_unshare+0x445/0x8e0 kernel/fork.c:2921
 __do_sys_unshare kernel/fork.c:2989 [inline]
 __se_sys_unshare kernel/fork.c:2987 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2987
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 21:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
 net_free net/core/net_namespace.c:445 [inline]
 net_drop_ns.part.0+0x9b/0xd0 net/core/net_namespace.c:452
 net_drop_ns net/core/net_namespace.c:451 [inline]
 cleanup_net+0x788/0xa00 net/core/net_namespace.c:622
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff8880a4622100
 which belongs to the cache net_namespace of size 7232
The buggy address is located 1668 bytes inside of
 7232-byte region [ffff8880a4622100, ffff8880a4623d40)
The buggy address belongs to the page:
page:00000000a2de8bd8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa4622
head:00000000a2de8bd8 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea000184d708 ffffea000180e088 ffff88821b773300
raw: 0000000000000000 ffff8880a4622100 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4622680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4622700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a4622780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a4622800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4622880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/19 07:00 bpf-next a12a625ce7db e1c29030 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.