================================================================== BUG: KASAN: use-after-free in tcp_write_timeout net/ipv4/tcp_timer.c:230 [inline] BUG: KASAN: use-after-free in tcp_retransmit_timer+0x9b6/0x33a0 net/ipv4/tcp_timer.c:485 Read of size 4 at addr ffff88018a3309cc by task syz-executor4/20515 CPU: 0 PID: 20515 Comm: syz-executor4 Not tainted 4.19.0-rc7+ #181 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 tcp_write_timeout net/ipv4/tcp_timer.c:230 [inline] tcp_retransmit_timer+0x9b6/0x33a0 net/ipv4/tcp_timer.c:485 tcp_write_timer_handler+0x34c/0x970 net/ipv4/tcp_timer.c:598 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:618 call_timer_fn+0x272/0x920 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7e5/0xc70 kernel/time/timer.c:1682 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1695 __do_softirq+0x30b/0xad8 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x760 arch/x86/kernel/apic/apic.c:1056 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:864 RIP: 0010:plist_check_prev_next+0x1/0x1b0 lib/plist.c:35 Code: e8 b4 12 df fb 89 c3 e8 2d e5 d4 f9 89 d8 5b 41 5c 5d c3 bb ff ff ff ff eb ed 4c 89 e7 e8 67 55 18 fa eb ab 90 90 90 90 90 55 <48> 89 e5 41 57 41 56 49 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 RSP: 0018:ffff8801cc4cf1c0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 1ffff10039899eec RBX: ffff8801cc4cf760 RCX: ffff8801cc4cf760 RDX: ffffc90000c6e340 RSI: ffff8801cc4cf760 RDI: ffffc90000c6e340 RBP: ffff8801cc4cf1f0 R08: ffff88018d1ce2c0 R09: ffffed0031a39c5a R10: ffffed0031a39c5a R11: ffff88018d1ce2d7 R12: ffffc90000c6e340 R13: ffffc90000c6e340 R14: dffffc0000000000 R15: dffffc0000000000 plist_check_head+0xea/0x150 lib/plist.c:61 plist_add+0x601/0x7a0 lib/plist.c:104 __queue_me kernel/futex.c:2187 [inline] queue_me kernel/futex.c:2206 [inline] futex_wait_queue_me+0x277/0x840 kernel/futex.c:2513 futex_wait+0x45c/0xa50 kernel/futex.c:2645 do_futex+0x31a/0x26d0 kernel/futex.c:3528 __do_compat_sys_futex kernel/futex_compat.c:201 [inline] __se_compat_sys_futex kernel/futex_compat.c:175 [inline] __ia32_compat_sys_futex+0x3d9/0x5f0 kernel/futex_compat.c:175 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f34ca9 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:000000000845fbfc EFLAGS: 00000202 ORIG_RAX: 00000000000000f0 RAX: ffffffffffffffda RBX: 000000000814af6c RCX: 0000000000000080 RDX: 0000000000000000 RSI: 000000000845fd34 RDI: 0000000000000000 RBP: 00000000000003e8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 13026: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:697 [inline] net_alloc net/core/net_namespace.c:384 [inline] copy_net_ns+0x15b/0x4a0 net/core/net_namespace.c:424 create_new_namespaces+0x6ad/0x900 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206 ksys_unshare+0x79c/0x10b0 kernel/fork.c:2489 __do_sys_unshare kernel/fork.c:2557 [inline] __se_sys_unshare kernel/fork.c:2555 [inline] __ia32_sys_unshare+0x30/0x40 kernel/fork.c:2555 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 7512: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 net_free net/core/net_namespace.c:400 [inline] net_drop_ns.part.14+0x129/0x150 net/core/net_namespace.c:407 net_drop_ns net/core/net_namespace.c:406 [inline] cleanup_net+0x849/0xb10 net/core/net_namespace.c:569 process_one_work+0xc90/0x1b90 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x420 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 The buggy address belongs to the object at ffff88018a330280 which belongs to the cache net_namespace of size 8576 The buggy address is located 1868 bytes inside of 8576-byte region [ffff88018a330280, ffff88018a332400) The buggy address belongs to the page: page:ffffea000628cc00 count:1 mapcount:0 mapping:ffff8801d9be7e00 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea00064b4c08 ffffea0007628808 ffff8801d9be7e00 raw: 0000000000000000 ffff88018a330280 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88018a330880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88018a330900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88018a330980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88018a330a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88018a330a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================