================================================================== BUG: KASAN: use-after-free in tcp_probe_timer net/ipv4/tcp_timer.c:371 [inline] BUG: KASAN: use-after-free in tcp_write_timer_handler+0xad3/0xb30 net/ipv4/tcp_timer.c:614 Read of size 4 at addr ffff888059e686c4 by task syz-executor.2/18053 CPU: 0 PID: 18053 Comm: syz-executor.2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 tcp_probe_timer net/ipv4/tcp_timer.c:371 [inline] tcp_write_timer_handler+0xad3/0xb30 net/ipv4/tcp_timer.c:614 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:630 call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417 expire_timers kernel/time/timer.c:1462 [inline] __run_timers+0x6f6/0xb10 kernel/time/timer.c:1731 run_timer_softirq+0x7d/0x140 kernel/time/timer.c:1744 __do_softirq+0x2cb/0xad5 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 do_softirq kernel/softirq.c:343 [inline] do_softirq+0x7e/0x80 kernel/softirq.c:330 __local_bh_enable_ip+0xf0/0x110 kernel/softirq.c:195 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:731 [inline] __dev_queue_xmit+0x1c39/0x2ef0 net/core/dev.c:4160 packet_snd net/packet/af_packet.c:3006 [inline] packet_sendmsg+0x23b2/0x52c0 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xd3/0x130 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5377328c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 RDX: 0000000000000080 RSI: 0000000020000440 RDI: 0000000000000004 RBP: 000000000119c1b8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c184 R13: 00007ffdf1748a8f R14: 00007f53773299c0 R15: 000000000119c184 Allocated by task 8486: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2889 [inline] slab_alloc mm/slub.c:2897 [inline] kmem_cache_alloc+0x145/0x350 mm/slub.c:2902 kmem_cache_zalloc include/linux/slab.h:672 [inline] net_alloc net/core/net_namespace.c:418 [inline] copy_net_ns+0x182/0x7b0 net/core/net_namespace.c:470 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xbd/0x230 kernel/nsproxy.c:226 ksys_unshare+0x445/0x8e0 kernel/fork.c:2957 __do_sys_unshare kernel/fork.c:3025 [inline] __se_sys_unshare kernel/fork.c:3023 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3023 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 69: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:352 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3140 [inline] kmem_cache_free+0x82/0x380 mm/slub.c:3156 net_free net/core/net_namespace.c:446 [inline] net_drop_ns net/core/net_namespace.c:453 [inline] net_drop_ns net/core/net_namespace.c:449 [inline] cleanup_net+0x8d6/0xb10 net/core/net_namespace.c:623 process_one_work+0x868/0x15c0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at ffff888059e68000 which belongs to the cache net_namespace of size 7360 The buggy address is located 1732 bytes inside of 7360-byte region [ffff888059e68000, ffff888059e69cc0) The buggy address belongs to the page: page:00000000b57cc5b8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59e68 head:00000000b57cc5b8 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011f0e000 raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888059e68580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888059e68600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888059e68680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888059e68700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888059e68780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================