==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2f87/0x3400 net/ipv4/tcp_timer.c:509
Read of size 8 at addr ffff88805adb5780 by task syz-fuzzer/3603
CPU: 1 PID: 3603 Comm: syz-fuzzer Not tainted 6.0.0-syzkaller-02801-gfa182ea26ff0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
tcp_retransmit_timer+0x2f87/0x3400 net/ipv4/tcp_timer.c:509
tcp_write_timer_handler net/ipv4/tcp_timer.c:620 [inline]
tcp_write_timer_handler+0x4de/0x9f0 net/ipv4/tcp_timer.c:594
tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:637
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:file_ctx security/apparmor/include/file.h:33 [inline]
RIP: 0010:aa_file_perm+0xee/0x1230 security/apparmor/file.c:609
Code: 89 44 24 38 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 dc 0f 00 00 48 c7 c2 f4 5d a4 8b 4c 8b b3 a0 01 00 00 <48> b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02 48 c7 c0 f4
RSP: 0018:ffffc90003dcfb68 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff88807a4c3b80 RCX: 0000000000000000
RDX: ffffffff8ba45df4 RSI: ffffffff83c58a39 RDI: ffffffff8a42a240
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88807a4c3b80
R13: ffff8880119c52b0 R14: ffff88807f025d20 R15: ffff88807a4c3bfc
common_file_perm security/apparmor/lsm.c:495 [inline]
apparmor_file_permission+0x15e/0x4e0 security/apparmor/lsm.c:509
security_file_permission+0x4d/0xd0 security/security.c:1518
rw_verify_area+0xae/0x1b0 fs/read_write.c:374
vfs_write+0x1c3/0xdd0 fs/read_write.c:575
ksys_write+0x1e8/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4ae09b
Code: e8 ea 57 fb ff eb 88 cc cc cc cc cc cc cc cc e8 fb 9b fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c01271f838 EFLAGS: 00000216 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000c000040000 RCX: 00000000004ae09b
RDX: 0000000000000040 RSI: 000000c01271fa40 RDI: 0000000000000010
RBP: 000000c01271f888 R08: 0000000000000001 R09: 000000c00f636de0
R10: 0000000000000040 R11: 0000000000000216 R12: 000000c01271f918
R13: 0000000000000000 R14: 000000c0003ad040 R15: 000000c00d2c2390
Allocated by task 22701:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3248 [inline]
slab_alloc mm/slub.c:3256 [inline]
__kmem_cache_alloc_lru mm/slub.c:3263 [inline]
kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
kmem_cache_zalloc include/linux/slab.h:723 [inline]
net_alloc net/core/net_namespace.c:403 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:458
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3181
__do_sys_unshare kernel/fork.c:3252 [inline]
__se_sys_unshare kernel/fork.c:3250 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
insert_work+0x48/0x350 kernel/workqueue.c:1358
__queue_work+0x625/0x1200 kernel/workqueue.c:1517
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1514 [inline]
__run_timers.part.0+0x4a3/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0x152/0x1d0 kernel/time/timer.c:1805
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
insert_work+0x48/0x350 kernel/workqueue.c:1358
__queue_work+0x625/0x1200 kernel/workqueue.c:1517
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1514 [inline]
__run_timers.part.0+0x4a3/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0x152/0x1d0 kernel/time/timer.c:1805
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
The buggy address belongs to the object at ffff88805adb54c0
which belongs to the cache net_namespace of size 6976
The buggy address is located 704 bytes inside of
6976-byte region [ffff88805adb54c0, ffff88805adb7000)
The buggy address belongs to the physical page:
page:ffffea00016b6c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88805adb54c0 pfn:0x5adb0
head:ffffea00016b6c00 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88801c932601
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001e35e00 dead000000000003 ffff8880119d43c0
raw: ffff88805adb54c0 0000000080040001 00000001ffffffff ffff88801c932601
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 13799, tgid 13798 (syz-executor.0), ts 333611230618, free_ts 333598873357
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:1829 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1974
new_slab mm/slub.c:2034 [inline]
___slab_alloc+0x84f/0xe80 mm/slub.c:3036
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
slab_alloc_node mm/slub.c:3214 [inline]
slab_alloc mm/slub.c:3256 [inline]
__kmem_cache_alloc_lru mm/slub.c:3263 [inline]
kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3273
kmem_cache_zalloc include/linux/slab.h:723 [inline]
net_alloc net/core/net_namespace.c:403 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:458
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3181
__do_sys_unshare kernel/fork.c:3252 [inline]
__se_sys_unshare kernel/fork.c:3250 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2553
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3248 [inline]
slab_alloc mm/slub.c:3256 [inline]
__kmem_cache_alloc_lru mm/slub.c:3263 [inline]
kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags+0x9a/0xe0 include/linux/audit.h:320
user_path_at_empty+0x2b/0x60 fs/namei.c:2875
do_readlinkat+0xcd/0x2f0 fs/stat.c:468
__do_sys_readlink fs/stat.c:501 [inline]
__se_sys_readlink fs/stat.c:498 [inline]
__x64_sys_readlink+0x74/0xb0 fs/stat.c:498
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88805adb5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805adb5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805adb5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805adb5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805adb5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 89 44 24 38 mov %eax,0x38(%rsp)
4: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
b: fc ff df
e: 48 c1 ea 03 shr $0x3,%rdx
12: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
16: 0f 85 dc 0f 00 00 jne 0xff8
1c: 48 c7 c2 f4 5d a4 8b mov $0xffffffff8ba45df4,%rdx
23: 4c 8b b3 a0 01 00 00 mov 0x1a0(%rbx),%r14
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 48 c1 ea 03 shr $0x3,%rdx
38: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: c0 .byte 0xc0
3f: f4 hlt