KASAN: use-after-free Read in tcp_retransmit_timer (5)

209 views
Skip to first unread message

syzbot

unread,
Feb 24, 2020, 2:40:14 AM2/24/20
to and...@fb.com, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, edum...@google.com, ka...@fb.com, ku...@kernel.org, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, y...@fb.com, yosh...@linux-ipv6.org
Hello,

syzbot found the following crash on:

HEAD commit: 41f57cfd Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=1460da7ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=768cc3d3e277cc16
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+694120...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2c51/0x30e0 net/ipv4/tcp_timer.c:500
Read of size 8 at addr ffff888062cc0338 by task syz-executor.0/18199

CPU: 0 PID: 18199 Comm: syz-executor.0 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
tcp_retransmit_timer+0x2c51/0x30e0 net/ipv4/tcp_timer.c:500
tcp_write_timer_handler+0x6be/0x8d0 net/ipv4/tcp_timer.c:611
tcp_write_timer+0xac/0x2e0 net/ipv4/tcp_timer.c:631
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:slab_alloc mm/slab.c:3313 [inline]
RIP: 0010:__do_kmalloc mm/slab.c:3654 [inline]
RIP: 0010:__kmalloc+0x2b8/0x770 mm/slab.c:3665
Code: 7e 0f 85 d6 fe ff ff e8 a7 af 4c ff e9 cc fe ff ff e8 4c 6d c7 ff 48 83 3d dc f5 ff 07 00 0f 84 4f 03 00 00 48 8b 7d c0 57 9d <0f> 1f 44 00 00 e9 5e fe ff ff 31 d2 be 35 02 00 00 48 c7 c7 de dd
RSP: 0018:ffffc900019675a8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000c40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8880569e29d8 RDI: 0000000000000282
RBP: ffffc90001967620 R08: ffff8880569e2140 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: 0000000000000c40 R14: ffff8880aa402000 R15: ffff8880962fa000
kmalloc include/linux/slab.h:560 [inline]
tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x2a3/0x3e0 security/tomoyo/file.c:771
tomoyo_file_open security/tomoyo/tomoyo.c:319 [inline]
tomoyo_file_open+0xa9/0xd0 security/tomoyo/tomoyo.c:314
security_file_open+0x71/0x300 security/security.c:1529
do_dentry_open+0x37a/0x1380 fs/open.c:784
vfs_open+0xa0/0xd0 fs/open.c:914
do_last fs/namei.c:3490 [inline]
path_openat+0x12ee/0x3490 fs/namei.c:3607
do_filp_open+0x192/0x260 fs/namei.c:3637
do_sys_openat2+0x5eb/0x7e0 fs/open.c:1149
do_sys_open+0xf2/0x180 fs/open.c:1165
ksys_open include/linux/syscalls.h:1386 [inline]
__do_sys_open fs/open.c:1171 [inline]
__se_sys_open fs/open.c:1169 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1169
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4161c0
Code: 05 48 3d 01 f0 ff ff 0f 83 2d 19 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d ad 22 87 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff
RSP: 002b:00007ffd846aa178 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffd846aa1a4 RCX: 00000000004161c0
RDX: 00007ffd846aa1aa RSI: 0000000000080001 RDI: 00000000004c1fef
RBP: 00007ffd846aa1a0 R08: 0000000000008040 R09: 0000000000000004
R10: 0000000000000075 R11: 0000000000000246 R12: 00000000004c1fef
R13: 00007ffd846aa6c0 R14: 0000000000000000 R15: 00007ffd846aa6d0

Allocated by task 2861:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
__do_kmalloc_node mm/slab.c:3616 [inline]
__kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3630
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:142
__alloc_skb+0x10b/0x5e0 net/core/skbuff.c:210
alloc_skb include/linux/skbuff.h:1081 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:324 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:376 [inline]
nsim_dev_trap_report_work+0x25c/0xaf0 drivers/net/netdevsim/dev.c:415
process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
worker_thread+0x98/0xe40 kernel/workqueue.c:2410
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 2861:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
skb_free_head+0x93/0xb0 net/core/skbuff.c:590
skb_release_data+0x43c/0x8b0 net/core/skbuff.c:610
skb_release_all+0x4d/0x60 net/core/skbuff.c:664
__kfree_skb net/core/skbuff.c:678 [inline]
consume_skb net/core/skbuff.c:837 [inline]
consume_skb+0xfb/0x410 net/core/skbuff.c:831
nsim_dev_trap_report drivers/net/netdevsim/dev.c:390 [inline]
nsim_dev_trap_report_work+0x7cb/0xaf0 drivers/net/netdevsim/dev.c:415
process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
worker_thread+0x98/0xe40 kernel/workqueue.c:2410
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888062cc0000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 824 bytes inside of
4096-byte region [ffff888062cc0000, ffff888062cc1000)
The buggy address belongs to the page:
page:ffffea00018b3000 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00024ce208 ffffea00029a7b08 ffff8880aa402000
raw: 0000000000000000 ffff888062cc0000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888062cc0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062cc0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888062cc0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888062cc0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062cc0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,
Dec 22, 2021, 6:00:35 AM12/22/21
to and...@kernel.org, and...@fb.com, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, dsa...@kernel.org, edum...@google.com, john.fa...@gmail.com, ka...@fb.com, kps...@kernel.org, ku...@kernel.org, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, t...@hlghospital.com, y...@fb.com, yosh...@linux-ipv6.org
syzbot has found a reproducer for the following issue on:

HEAD commit: 819d11507f66 bpf, selftests: Fix spelling mistake "tained"..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=138bf80db00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22b66456935ee10
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ccbcdb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fcccedb00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+694120...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2ea2/0x3320 net/ipv4/tcp_timer.c:511
Read of size 8 at addr ffff888075d9b6d8 by task jbd2/sda1-8/2936

CPU: 1 PID: 2936 Comm: jbd2/sda1-8 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
tcp_retransmit_timer+0x2ea2/0x3320 net/ipv4/tcp_timer.c:511
tcp_write_timer_handler+0x5e6/0xbc0 net/ipv4/tcp_timer.c:622
tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x1c/0x60 kernel/kcov.c:200
Code: be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 65 8b 05 29 be 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 70 02 00 <a9> 00 01 ff 00 74 0e 85 c9 74 35 8b 82 a4 15 00 00 85 c0 74 2b 8b
RSP: 0018:ffffc9000cc8f7e0 EFLAGS: 00000246
RAX: 0000000080000001 RBX: 0000000000005460 RCX: 0000000000000000
RDX: ffff88807dcdd700 RSI: ffffffff82149a29 RDI: 0000000000000003
RBP: 0000000000008000 R08: 0000000000008000 R09: ffff88801d0598ff
R10: ffffffff82149a1c R11: 0000000000000000 R12: ffff88801d059a88
R13: 00000000ffffffff R14: ffff88801d059000 R15: 00000000ffffffff
mb_test_and_clear_bits+0xd9/0x240 fs/ext4/mballoc.c:1675
mb_free_blocks+0x364/0x1370 fs/ext4/mballoc.c:1811
ext4_free_data_in_buddy fs/ext4/mballoc.c:3662 [inline]
ext4_process_freed_data+0x56c/0x1070 fs/ext4/mballoc.c:3713
ext4_journal_commit_callback+0x11e/0x380 fs/ext4/super.c:449
jbd2_journal_commit_transaction+0x55a8/0x6be0 fs/jbd2/commit.c:1171
kjournald2+0x1d0/0x930 fs/jbd2/journal.c:213
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>

Allocated by task 3696:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247
kmem_cache_zalloc include/linux/slab.h:714 [inline]
net_alloc net/core/net_namespace.c:402 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:457
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 503:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530
net_free net/core/net_namespace.c:431 [inline]
net_free net/core/net_namespace.c:427 [inline]
cleanup_net+0x8ba/0xb00 net/core/net_namespace.c:614
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888075d9b480
which belongs to the cache net_namespace of size 6464
The buggy address is located 600 bytes inside of
6464-byte region [ffff888075d9b480, ffff888075d9cdc0)
The buggy address belongs to the page:
page:ffffea0001d76600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75d98
head:ffffea0001d76600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011885000
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3693, ts 1611631437660, free_ts 92175173930
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247
kmem_cache_zalloc include/linux/slab.h:714 [inline]
net_alloc net/core/net_namespace.c:402 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:457
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
__unfreeze_partials+0x343/0x360 mm/slub.c:2527
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270
__alloc_skb+0x215/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1126 [inline]
alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078
sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575
unix_dgram_sendmsg+0x3ec/0x1950 net/unix/af_unix.c:1811
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
sock_write_iter+0x289/0x3c0 net/socket.c:1057
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x1ee/0x250 fs/read_write.c:643

Memory state around the buggy address:
ffff888075d9b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075d9b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888075d9b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075d9b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075d9b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: be b0 01 00 00 mov $0x1b0,%esi
5: e8 b4 ff ff ff callq 0xffffffbe
a: 31 c0 xor %eax,%eax
c: c3 retq
d: 90 nop
e: 65 8b 05 29 be 8a 7e mov %gs:0x7e8abe29(%rip),%eax # 0x7e8abe3e
15: 89 c1 mov %eax,%ecx
17: 48 8b 34 24 mov (%rsp),%rsi
1b: 81 e1 00 01 00 00 and $0x100,%ecx
21: 65 48 8b 14 25 40 70 mov %gs:0x27040,%rdx
28: 02 00
* 2a: a9 00 01 ff 00 test $0xff0100,%eax <-- trapping instruction
2f: 74 0e je 0x3f
31: 85 c9 test %ecx,%ecx
33: 74 35 je 0x6a
35: 8b 82 a4 15 00 00 mov 0x15a4(%rdx),%eax
3b: 85 c0 test %eax,%eax
3d: 74 2b je 0x6a
3f: 8b .byte 0x8b

Tetsuo Handa

unread,
Apr 9, 2022, 4:19:54 AM4/9/22
to b...@vger.kernel.org, syzbot, and...@kernel.org, and...@fb.com, a...@kernel.org, dan...@iogearbox.net, da...@davemloft.net, dsa...@kernel.org, edum...@google.com, john.fa...@gmail.com, ka...@fb.com, kps...@kernel.org, ku...@kernel.org, kuz...@ms2.inr.ac.ru, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, t...@hlghospital.com, y...@fb.com, yosh...@linux-ipv6.org
Hello, bpf developers.

syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).

------------------------------------------------------------
[ 702.730585][ C1] ==================================================================
[ 702.743543][ C1] BUG: KASAN: use-after-free in tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.754301][ C1] Read of size 8 at addr ffff88801eed82b8 by task swapper/1/0
[ 702.765301][ C1]
[ 702.768527][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0 #710
[ 702.778323][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 702.790444][ C1] Call Trace:
[ 702.794903][ C1] <IRQ>
[ 702.798753][ C1] dump_stack_lvl+0xcd/0x134
[ 702.804962][ C1] print_address_description.constprop.0.cold+0x93/0x35d
[ 702.809861][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.813344][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.817099][ C1] kasan_report.cold+0x83/0xdf
[ 702.820010][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.823666][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.827159][ C1] ? tcp_mstamp_refresh+0xf/0x60
[ 702.830448][ C1] ? tcp_delack_timer+0x290/0x290
[ 702.833410][ C1] ? mark_held_locks+0x65/0x90
[ 702.836790][ C1] ? ktime_get+0x365/0x420
[ 702.839893][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 702.843144][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 702.846621][ C1] ? ktime_get+0x2e6/0x420
[ 702.849334][ C1] tcp_write_timer_handler+0x32f/0x5f0
[ 702.852597][ C1] tcp_write_timer+0x86/0x250
[ 702.855736][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.859211][ C1] call_timer_fn+0x15d/0x5f0
[ 702.862327][ C1] ? enqueue_timer+0x3b0/0x3b0
[ 702.865295][ C1] ? lock_downgrade+0x3b0/0x3b0
[ 702.868462][ C1] ? mark_held_locks+0x24/0x90
[ 702.871511][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.875369][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 702.878610][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.882085][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.885866][ C1] run_timer_softirq+0xbdb/0xee0
[ 702.889127][ C1] ? call_timer_fn+0x5f0/0x5f0
[ 702.892021][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 702.895881][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 702.899151][ C1] __do_softirq+0x117/0x692
[ 702.901960][ C1] irq_exit_rcu+0xdb/0x110
[ 702.904885][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 702.908837][ C1] </IRQ>
[ 702.910666][ C1] <TASK>
[ 702.965995][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 703.023333][ C1] RIP: 0010:default_idle+0xb/0x10
[ 703.076496][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
[ 703.208123][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
[ 703.276495][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
[ 703.344388][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 703.411773][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
[ 703.477687][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
[ 703.537679][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
[ 703.603213][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
[ 703.667293][ C1] default_idle_call+0xb1/0x330
[ 703.728393][ C1] do_idle+0x37f/0x430
[ 703.789414][ C1] ? mark_held_locks+0x24/0x90
[ 703.852441][ C1] ? arch_cpu_idle_exit+0x30/0x30
[ 703.915057][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 703.971934][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 704.033376][ C1] ? preempt_count_sub+0xf/0xb0
[ 704.095999][ C1] cpu_startup_entry+0x14/0x20
[ 704.153464][ C1] start_secondary+0x1b7/0x220
[ 704.216128][ C1] ? set_cpu_sibling_map+0x1010/0x1010
[ 704.292706][ C1] secondary_startup_64_no_verify+0xc3/0xcb
[ 704.357456][ C1] </TASK>
[ 704.420920][ C1]
[ 704.483318][ C1] Allocated by task 4577:
[ 704.546652][ C1] kasan_save_stack+0x1e/0x40
[ 704.610435][ C1] __kasan_slab_alloc+0x90/0xc0
[ 704.671983][ C1] kmem_cache_alloc+0x1d7/0x760
[ 704.734249][ C1] copy_net_ns+0xaf/0x4a0
[ 704.795405][ C1] create_new_namespaces.isra.0+0x254/0x660
[ 704.858394][ C1] unshare_nsproxy_namespaces+0xb2/0x160
[ 704.920500][ C1] ksys_unshare+0x372/0x780
[ 704.983267][ C1] __x64_sys_unshare+0x1b/0x20
[ 705.046194][ C1] do_syscall_64+0x35/0xb0
[ 705.107899][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 705.169680][ C1]
[ 705.231276][ C1] Freed by task 8:
[ 705.294349][ C1] kasan_save_stack+0x1e/0x40
[ 705.359217][ C1] kasan_set_track+0x21/0x30
[ 705.422445][ C1] kasan_set_free_info+0x20/0x30
[ 705.481590][ C1] __kasan_slab_free+0x11a/0x160
[ 705.544098][ C1] kmem_cache_free+0xe6/0x6a0
[ 705.605324][ C1] net_free+0x89/0xb0
[ 705.666356][ C1] cleanup_net+0x64a/0x730
[ 705.728952][ C1] process_one_work+0x65c/0xda0
[ 705.792462][ C1] worker_thread+0x7f/0x760
[ 705.858871][ C1] kthread+0x1c6/0x210
[ 705.920770][ C1] ret_from_fork+0x1f/0x30
[ 705.978623][ C1]
[ 706.038487][ C1] The buggy address belongs to the object at ffff88801eed8000
[ 706.038487][ C1] which belongs to the cache net_namespace of size 6528
[ 706.161551][ C1] The buggy address is located 696 bytes inside of
[ 706.161551][ C1] 6528-byte region [ffff88801eed8000, ffff88801eed9980)
[ 706.272381][ C1] The buggy address belongs to the page:
[ 706.334149][ C1] page:ffffea00007bb600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eed8
[ 706.400096][ C1] head:ffffea00007bb600 order:3 compound_mapcount:0 compound_pincount:0
[ 706.460895][ C1] memcg:ffff88801921b441
[ 706.519144][ C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 706.585321][ C1] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888100024500
[ 706.652434][ C1] raw: 0000000000000000 0000000080040004 00000001ffffffff ffff88801921b441
[ 706.717358][ C1] page dumped because: kasan: bad access detected
[ 706.783699][ C1] page_owner tracks the page as allocated
[ 706.844889][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4577, ts 538093730950, free_ts 446175252650
[ 706.984997][ C1] prep_new_page+0x134/0x170
[ 707.056009][ C1] get_page_from_freelist+0x16c7/0x2510
[ 707.130614][ C1] __alloc_pages+0x29a/0x580
[ 707.204976][ C1] alloc_pages+0xda/0x1a0
[ 707.278364][ C1] new_slab+0x29e/0x3a0
[ 707.350591][ C1] ___slab_alloc+0xb66/0xf60
[ 707.416827][ C1] __slab_alloc.isra.0+0x4d/0xa0
[ 707.487734][ C1] kmem_cache_alloc+0x635/0x760
[ 707.560973][ C1] copy_net_ns+0xaf/0x4a0
[ 707.631583][ C1] create_new_namespaces.isra.0+0x254/0x660
[ 707.704556][ C1] unshare_nsproxy_namespaces+0xb2/0x160
[ 707.778185][ C1] ksys_unshare+0x372/0x780
[ 707.853990][ C1] __x64_sys_unshare+0x1b/0x20
[ 707.927571][ C1] do_syscall_64+0x35/0xb0
[ 707.999337][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 708.073634][ C1] page last free stack trace:
[ 708.145935][ C1] free_pcp_prepare+0x325/0x650
[ 708.219254][ C1] free_unref_page+0x19/0x360
[ 708.290288][ C1] __unfreeze_partials+0x320/0x340
[ 708.359731][ C1] qlist_free_all+0x6d/0x160
[ 708.431552][ C1] kasan_quarantine_reduce+0x13d/0x180
[ 708.505070][ C1] __kasan_slab_alloc+0xa2/0xc0
[ 708.577128][ C1] kmem_cache_alloc+0x1d7/0x760
[ 708.649556][ C1] vm_area_alloc+0x1c/0xa0
[ 708.725996][ C1] mmap_region+0x64f/0xc40
[ 708.786537][ C1] do_mmap+0x66b/0xa40
[ 708.861188][ C1] vm_mmap_pgoff+0x1aa/0x270
[ 708.921977][ C1] ksys_mmap_pgoff+0x357/0x410
[ 708.998067][ C1] do_syscall_64+0x35/0xb0
[ 709.072158][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 709.142294][ C1]
[ 709.210670][ C1] Memory state around the buggy address:
[ 709.286139][ C1] ffff88801eed8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.363031][ C1] ffff88801eed8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.429425][ C1] >ffff88801eed8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.496217][ C1] ^
[ 709.560374][ C1] ffff88801eed8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.634175][ C1] ffff88801eed8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.701217][ C1] ==================================================================
[ 709.767019][ C1] Disabling lock debugging due to kernel taint
[ 709.831133][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 709.890180][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.17.0 #710
[ 709.958293][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 710.031328][ C1] Call Trace:
[ 710.096636][ C1] <IRQ>
[ 710.165649][ C1] dump_stack_lvl+0xcd/0x134
[ 710.232724][ C1] panic+0x263/0x5fa
[ 710.300396][ C1] ? __warn_printk+0xf3/0xf3
[ 710.362683][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.425386][ C1] ? preempt_count_sub+0xf/0xb0
[ 710.487806][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.550567][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.612008][ C1] end_report.cold+0x63/0x6f
[ 710.671465][ C1] kasan_report.cold+0x71/0xdf
[ 710.731242][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.792468][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.850296][ C1] ? tcp_mstamp_refresh+0xf/0x60
[ 710.911655][ C1] ? tcp_delack_timer+0x290/0x290
[ 710.972588][ C1] ? mark_held_locks+0x65/0x90
[ 711.033775][ C1] ? ktime_get+0x365/0x420
[ 711.091494][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 711.153223][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 711.210432][ C1] ? ktime_get+0x2e6/0x420
[ 711.269857][ C1] tcp_write_timer_handler+0x32f/0x5f0
[ 711.331006][ C1] tcp_write_timer+0x86/0x250
[ 711.391916][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.452155][ C1] call_timer_fn+0x15d/0x5f0
[ 711.517305][ C1] ? enqueue_timer+0x3b0/0x3b0
[ 711.580906][ C1] ? lock_downgrade+0x3b0/0x3b0
[ 711.642255][ C1] ? mark_held_locks+0x24/0x90
[ 711.703500][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.766484][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 711.828625][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.889862][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.952756][ C1] run_timer_softirq+0xbdb/0xee0
[ 712.014027][ C1] ? call_timer_fn+0x5f0/0x5f0
[ 712.063350][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 712.125673][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 712.183626][ C1] __do_softirq+0x117/0x692
[ 712.245067][ C1] irq_exit_rcu+0xdb/0x110
[ 712.294611][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 712.363854][ C1] </IRQ>
[ 712.426802][ C1] <TASK>
[ 712.482854][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 712.542428][ C1] RIP: 0010:default_idle+0xb/0x10
[ 712.577029][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
[ 712.703886][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
[ 712.763854][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
[ 712.829677][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 712.893652][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
[ 712.956344][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
[ 713.020195][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
[ 713.083426][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
[ 713.144632][ C1] default_idle_call+0xb1/0x330
[ 713.207385][ C1] do_idle+0x37f/0x430
[ 713.269538][ C1] ? mark_held_locks+0x24/0x90
[ 713.332700][ C1] ? arch_cpu_idle_exit+0x30/0x30
[ 713.396223][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 713.460909][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 713.527012][ C1] ? preempt_count_sub+0xf/0xb0
[ 713.594736][ C1] cpu_startup_entry+0x14/0x20
[ 713.662751][ C1] start_secondary+0x1b7/0x220
[ 713.718784][ C1] ? set_cpu_sibling_map+0x1010/0x1010
[ 713.785338][ C1] secondary_startup_64_no_verify+0xc3/0xcb
[ 713.851417][ C1] </TASK>
[ 713.916633][ C1] Kernel Offset: disabled
[ 713.981646][ C1] Rebooting in 10 seconds..
------------------------------------------------------------

I managed to convert https://syzkaller.appspot.com/text?tag=ReproC&x=14fcccedb00000
into a single threaded simple reproducer shown below.

------------------------------------------------------------
// https://syzkaller.appspot.com/bug?id=8f0e04b2beffcd42f044d46879cc224f6eb71a99
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <arpa/inet.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>

#ifndef MSG_PROBE
#define MSG_PROBE 0x10
#endif

struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};

static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size)
{
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}

static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0)
memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}

static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
int* reply_len, bool dofail)
{
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail)
exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len)
*reply_len = 0;
if (n < 0) {
if (dofail)
exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE)
return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}

static int netlink_send(struct nlmsg* nlmsg, int sock)
{
return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}

static void netlink_device_change(int sock, const char* name, const void* mac, int macsize)
{
struct nlmsg nlmsg;
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
hdr.ifi_index = if_nametoindex(name);
netlink_init(&nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(&nlmsg, IFLA_ADDRESS, mac, macsize);
netlink_send(&nlmsg, sock);
}

static void netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize)
{
struct nlmsg nlmsg;
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(&nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
sizeof(hdr));
netlink_attr(&nlmsg, IFA_LOCAL, addr, addrsize);
netlink_attr(&nlmsg, IFA_ADDRESS, addr, addrsize);
netlink_send(&nlmsg, sock);
}

static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
}

static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
}

static void initialize_netdevices(void)
{
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
uint64_t macaddr = 0x00aaaaaaaaaa;
if (fd == EOF)
exit(1);
netlink_add_addr4(fd, "lo", "172.20.20.10");
netlink_add_addr6(fd, "lo", "fe80::0a");
netlink_device_change(fd, "lo", &macaddr, ETH_ALEN);
close(fd);
}

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static const char program[2053] =
"\xbf\x16\x00\x00\x00\x00\x00\x00\xb7\x07\x00\x00\x01\x00\xf0\xff\x50\x70"
"\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\xc0\x00\x95\x00\x00\x00"
"\x00\x00\x00\x00\x2b\xa7\x28\x04\x15\x98\xd6\xfb\xd3\x0c\xb5\x99\xe8\x3d"
"\x24\xbd\x81\x37\xa3\xaa\x81\xe0\xed\x13\x9a\x85\xd3\x6b\xb3\x01\x9c\x13"
"\xbd\x23\x21\xaf\x3c\xf1\xa5\x4f\x26\xfb\xbf\x22\x0b\x71\xd0\xe6\xad\xfe"
"\xfc\xf1\xd8\xf7\xfa\xf7\x5e\x0f\x22\x6b\xd9\x17\x48\x79\x60\x71\x71\x42"
"\xfa\x9e\xa4\x31\x81\x23\x75\x1c\x0a\x0e\x16\x8c\x18\x86\xd0\xd4\xd3\x53"
"\x79\xbd\x22\x3e\xc8\x39\xbc\x16\xee\x98\x8e\x6e\x0d\xc8\xce\xdf\x3c\xeb"
"\x9f\xbf\xbf\x9b\x0a\x4d\xef\x23\xd4\x30\xf6\x09\x6b\x32\xa8\x34\x38\x81"
"\x07\x20\xa1\x59\xcd\xa9\x03\x63\xdb\x3d\x22\x1e\x15\x2d\xdc\xa6\x40\x57"
"\xff\x3c\x47\x44\xae\xac\xcd\x36\x41\x11\x0b\xec\x4e\x90\x27\xa0\xc8\x05"
"\x5b\xbf\xc3\xa9\x6d\x2e\x89\x10\xc2\xc3\x9e\x4b\xab\xe8\x02\xf5\xab\x3e"
"\x89\xcf\x6c\x66\x2e\xd4\x04\x8d\x3b\x3e\x22\x27\x8d\x00\x03\x1e\x53\x88"
"\xee\x5c\x6e\xce\x1c\xcb\x0c\xd2\xb6\xd3\xcf\xfd\x96\x9d\x18\xce\x74\x00"
"\x68\x72\x5c\x37\x07\x4e\x46\x8e\xe2\x07\xd2\xf7\x39\x02\xea\xcf\xcf\x49"
"\x82\x27\x75\x98\x5b\xf3\x1b\x71\x5f\x58\x88\xb2\xfd\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x60\xdb\xe7\x1c\xce\xee\x10\x00"
"\x00\xdd\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\xdd\xff\xff\xff"
"\x00\x00\xb2\x7c\xf3\xd1\x84\x8a\x54\xd7\x13\x2b\xe1\xff\xb0\xad\xf9\xde"
"\xab\x33\x23\xaa\x9f\xdf\xb5\x2f\xaf\x9c\xb0\x9c\x3b\xfd\x09\x00\x00\x00"
"\xb9\x1a\xb2\x19\xef\xde\xbb\x7b\x3d\xe8\xf6\x75\x81\xcf\x79\x6a\xad\x42"
"\x23\xb9\xff\x7f\xfc\xad\x3f\x6c\x96\x2b\x9f\x03\x00\x00\x00\x00\x00\x00"
"\x00\x1c\xf4\x1a\xb1\x1f\x12\xfb\x1e\x0a\x49\x40\x34\x00\x7d\xe7\xc6\x59"
"\x2d\xf1\xa6\xc6\x4d\x8f\x20\xa6\x77\x45\x40\x9e\x01\x1f\x12\x64\xd4\x3f"
"\x15\x3b\x3d\x34\x89\x9f\x40\x15\x9e\x80\x0e\xa2\x47\x4b\x54\x05\x00\xa3"
"\x0b\x23\xbc\xee\x46\x76\x2c\x20\x93\xbc\xc9\xea\xe5\xee\x3e\x98\x00\x26"
"\xc9\x6f\x80\xee\x1a\x74\xe0\x4b\xde\x74\x07\x50\xfa\x4d\x9a\xaa\x70\x59"
"\x89\xb8\xe6\x73\xe3\x29\x6e\x52\xd3\x37\xc5\x6a\xbf\x11\x28\x74\xec\x51"
"\xd6\xfe\x04\x8b\xa6\x86\x6a\xde\xba\xb5\x31\x68\x77\x0a\x71\xad\x90\x1a"
"\xce\x38\x3e\x41\xd2\x77\xb1\x03\x92\x3a\x9d\x97\x1f\x7a\x25\x91\xdb\xe4"
"\xa9\x12\xff\xaf\x6f\x65\x8f\x3f\x9c\xd1\x62\x86\x74\x4f\x83\xa8\x3f\x13"
"\x8f\x8f\x92\xef\xd9\x22\x39\xea\xfc\xe5\xc1\xb3\xf9\x7a\x29\x7c\x9e\x49"
"\xa0\xc3\x30\x0e\xf7\xb7\xfb\x5f\x09\xe0\xc8\xa8\x68\xa3\x53\x40\x9e\x34"
"\xd3\xe8\x22\x79\x63\x75\x99\xf3\x5a\xd3\xf7\xff\xff\xff\x3c\xac\x39\x4c"
"\x7b\xbd\xcd\x0e\x0e\xb5\x21\x89\x2c\x0f\x32\x01\x5b\xf4\xf2\x26\xa4\xe7"
"\x0f\x03\xcc\x41\x46\xa7\x7a\xf0\x2c\x1d\x4c\xef\xd4\xa2\xb9\x4c\x0a\xed"
"\x84\x77\xdf\xa8\xce\xef\xb4\x67\xf0\x5c\x69\x77\xc7\x8c\xdb\xf3\x77\x04"
"\xec\x73\x75\x55\x39\x2a\x0b\x06\x4b\xda\xba\x71\xf8\x97\x14\x49\x10\xfe"
"\x05\x00\x38\xec\x9e\x47\xde\x89\x29\x8b\x7b\xf4\xd7\x69\xcc\xc1\x8e\xed"
"\xe0\x06\x8c\xa1\x45\x78\x70\xeb\x30\xd2\x11\xe2\x3c\xcc\x8e\x06\xdd\xde"
"\xb6\x17\x99\x25\x7a\xb5\x5f\xf4\x13\xc8\x6b\xa9\xaf\xfb\x12\xec\x75\x7c"
"\x72\x34\xc2\x70\x24\x6c\x87\x8d\x01\x16\x0e\x6c\x07\xbf\x6c\xf8\x80\x9c"
"\x3a\x0d\x06\x23\x57\xba\x25\x15\x56\x72\x30\xad\x1e\x1f\x49\x33\x54\x5f"
"\xc3\xc7\x41\x37\x36\x11\x66\x3f\x6b\x63\xb1\xdd\x04\x4d\xd0\xa2\x76\x8e"
"\x82\x59\x72\xea\x3b\x77\x64\x14\x67\xc8\x9f\xa0\xf8\x2e\x84\x40\x10\x50"
"\x51\xe5\x51\x0a\x33\xdc\xda\x5e\x4e\x20\x2b\xd6\x22\x54\x9c\x4c\xff\x3f"
"\x5e\x50\x1d\x3a\x5d\xd7\x14\x3f\xbf\x22\x1f\xff\x16\x1c\x12\xca\x38\x95"
"\xa3\x00\x00\x00\x00\x00\x00\x0f\xff\x75\x06\x7d\x2a\x21\x4f\x8c\x9d\x9b"
"\x2e\xcf\x63\x01\x6c\x5f\xd9\xc2\x6a\x54\xd4\x3f\xa0\x50\xb8\x8d\x1d\x43"
"\xa8\x64\x5b\xd9\x76\x9b\x7e\x07\x86\x9b\xba\x71\x31\x42\x1c\x0f\x39\x11"
"\x3b\xe7\x66\x4e\x08\xbd\xd7\x11\x5c\x61\xaf\xcb\x71\x8c\xf3\xc4\x68\x0b"
"\x2f\x6c\x7a\x84\x00\xe3\x78\xa9\xb1\x5b\xc2\x0f\x49\xe2\x98\x72\x73\x40"
"\xe8\x7c\xde\xfb\x40\xe5\x6e\x9c\xfa\xd9\x73\x34\x7d\x0d\xe7\xba\x47\x54"
"\xff\x23\x1a\x1b\x93\x3d\x8f\x93\x1b\x8c\x55\x2b\x2c\x7c\x50\x3f\x3d\x0e"
"\x7a\xb0\xe9\x58\xad\xb8\x62\x82\x2e\x40\x00\x99\x95\xae\x16\x6d\xeb\x98"
"\x56\x29\x1a\x43\xa6\xf7\xeb\x2e\x32\xce\xfb\xf4\x63\x78\x9e\xaf\x79\xb8"
"\xd4\xc2\xbf\x0f\x7a\x2c\xb0\x32\xda\xd1\x30\x07\xb8\x2e\x60\xdb\xe9\x86"
"\x4a\x11\x7d\x27\x32\x68\x50\xa7\xc3\xb5\x70\x86\x3f\x53\x2c\x21\x8b\x10"
"\xaf\x13\xd7\xbe\x94\x98\x70\x05\x08\x8a\x83\x88\x0c\xca\xb9\xc9\x92\x0c"
"\x2d\x2a\xf8\xc5\xe1\x3d\x52\xc8\x3a\xc3\xfa\x7c\x3a\xe6\xc0\x83\x84\x86"
"\x5b\x66\xd2\xb4\xdc\xb5\xdd\x9c\xba\x16\xb6\x20\x40\xbf\x87\x02\xae\x12"
"\xc7\x7e\x6e\x34\x99\x1a\xf6\x03\xe3\x85\x6a\x34\x6c\xf7\xf9\xfe\xeb\x70"
"\x88\xae\xda\x89\x0c\xf8\xa4\xa6\xf3\x1b\xa6\xd9\xb8\xcb\x09\x8f\x93\x5b"
"\xdc\xbb\x29\xfd\x0f\x1a\x34\x2c\x01\x00\x00\x00\x00\x00\x00\x00\x48\xa9"
"\xde\xa0\x00\x00\x3a\x85\x67\xa7\x59\x2b\x33\x40\x6f\x1f\x71\xc7\x39\xb5"
"\x5d\xb9\x1d\x23\x09\xdc\x7a\xe4\x01\x00\x5f\x52\x05\x3a\x39\xe7\x30\x7c"
"\x09\xff\x3a\xc3\xe8\x20\xb0\x1c\x57\xdd\x74\xd4\xaa\xfc\x4c\x38\x3a\x17"
"\xbc\x1d\xe5\x34\x7b\xb7\x1c\xa1\x6d\xcb\xbb\xaa\x29\x35\xf6\x02\x32\x59"
"\x84\x38\x6b\x21\xb9\x64\x92\xae\x66\x20\x82\xb5\x6c\xf6\x66\xe6\x3a\x75"
"\x7c\x0e\xf3\xea\x7a\xf6\x88\x15\x13\xbe\x94\xb3\x66\xe1\x5f\xfc\xa8\xec"
"\x45\x3b\x3a\x2a\x67\xbe\xdc\xa1\xc7\x66\x95\x22\xe8\xdf\xf8\xbc\x57\x0a"
"\x93\xfb\xdb\x68\x8c\x3a\xef\xd4\x75\x01\x27\x7a\x6e\xa6\xb1\x11\x63\x39"
"\x2a\x19\xd8\x79\x95\xb5\x1c\x96\xfe\xbd\x5f\x24\xa3\x49\x98\xd2\x01\x0f"
"\xd5\xfa\xcf\x68\xc4\xf8\x4e\x2f\x66\xe2\x7c\x81\xa1\x49\xd7\xb3\x31\x98"
"\x3d\x3b\x74\x44\x49\x53\xfc\x12\x16\xdf\xec\x10\xb7\x24\xbe\x37\x33\xc2"
"\x6f\x12\x53\x83\x76\xe1\x77\xff\xef\x6f\xd2\x60\x3b\xfa\xb9\x68\x31\x95"
"\x7a\x08\xe4\x91\x9a\x46\x3d\x53\x32\xa2\x54\x60\x32\xa3\xc0\x6b\x94\xf1"
"\x68\xe8\xfc\x4b\xda\x0c\x29\x47\x23\xfe\x30\x6f\x26\xc4\x77\xaf\x4b\x92"
"\x66\x44\x67\x29\x85\xfa\xb7\xcc\x67\xbc\x5b\x5f\x5d\x38\xcd\xd8\xdf\x95"
"\x14\x7e\xbe\x1c\xd8\x8b\x0a\x2f\xbb\xde\x99\x51\xbe\x42\x82\x7d\xfd\xdf"
"\xef\xb2\x38\xfa\xc2\x30\x3c\xc8\x98\x2f\x1e\x55\xb0\x05\xaf\xcf\xea\x5e"
"\xb0\x37\x24\x8f\xef\xad\x6b\xb0\x2c\x16\x2c\xe9\x2a\xb1\x27\x13\x52\x2b"
"\x97\x50\x6c\x26\x77\x44\xc8\xec\x3d\x2e\x80\xcf\x32\x05\xd3\x66\x99\xfd"
"\x38\x1b\xc8\x12\x31\xfb\x5e\x12\xe4\x5f\x30\x59\xf3\x61\xd0\x8d\x6a\x6d"
"\x01\xdd\x79\xca\x9b\xfb\x4e\x06\x25\x94\x27\xb0\x29\x44\x7a\x3e\xd7\x0a"
"\x2b\x70\xbe\x52\x1e\xa2\x7d\xc8\xcf\x3c\x9b\xdf\x83\xb9\x34\x05\xdb\x07"
"\xe8\x2e\x2d\xdf\x4c\x4d\x26\xf1\xcd\xd8\xc3\xc9\x73\x6c\xf5\xe5\x08\x6d"
"\xe3\xb4\x84\xf8\x67\x3e\x0e\x97\xdd\x7e\x8a\x87\x21\x48\x61\x3c\x3a\xea"
"\xf2\xd6\x7f\x43\x75\xba\x5c\x7f\x1b\x00\x33\xf8\xdf\xe0\x1d\x9c\xb2\xa7"
"\x08\x01\xf7\x63\x52\x4e\x1d\x79\xd8\x12\xce\xd7\x82\x64\x6b\x5f\x79\xc8"
"\xfc\x08\xbb\x5c\x11\x02\x01\x08\xd7\x02\xed\xd2\xea\x9c\x96\xcf\xcb\x90"
"\x66\x66\x86\x27\x82\x0d\x2d\x48\xaa\x5f\xc0\xa7\xbf\x1b\x51\xaf\xd8\x53"
"\x50\xad\x00\xb7\x8c\x59\x8f\xa8\x70\x1b\x40\x08\x84\xde\x79\x0b\x54\xe5"
"\xab\x2e\x8f\xf0\xc7\xae\x23\xe0\xb6\xee\xac\x95\xc4\xc2\xee\xf2\xe5\xeb"
"\x1d\x01\x9d\x52\x09\x9f\xbd\x40\x4e\x8e\xce\x97\x0f\x67\x73\x6b\xa7\xe9"
"\x60\xbd\x8b\x1e\x41\x05\xce\x7e\x31\xf7\xc9\xc3\xe3\xfa\x61\xaa\xb9\x67"
"\x56\x5e\x04\x00\x00\x00\x00\x00\x00\x00\xa8\xcf\xda\x89\x0a\x98\xb9\x00"
"\x87\xe9\x1d\x70\x3e\x98\x53\x5b\x10\x7b\x8f\x46\x53\xbe\x4c\x46\xa3\xa1"
"\xad\xb0\x7d\x22\x69\x52\xb8\x57\x3b\x41\x70\x18\x31\x6f\xa9\x00\x00\x00"
"\x00\x00\x00\x00\x00\x41\x22\xc8\x63\x70\x9b\x08\xd4\x63\x9a\x2c\xa4\x6a"
"\xc9\x0a\xc4\x29\x13\xee\x9b\xca\xa8\x75\xfc\x70\x0b\xa3\x67\xca\x31\x82"
"\x10\x59\x60\xbe\xf3\x37\x8a\x98\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x25\x03\x18\xa4\x4a\xae\xbd\xe8\x49"
"\x58\x0d\x86\xd1\xaf\xb0\x2a\x49\x6c\x35\xca\x95\x0d\x60\xa3\xd9\x7f\x23"
"\xac\x37\xf8\x80\xdd\xc3\xb1\x7b\x12\x09\xb0\x03\xc3\x33\x4b\x1c\xc0\xdb"
"\x48\x3e\x24\x43\x69\x5f\xc9\x5e\xbb\x83\x20\xc9\xad\xee\x62\x94\x51\x4c"
"\x2c\xa4\x2a\x10\x48\x28\x6d\x70\xd6\x29\x8c\xe1\x4d\x03\x1d\x04\x7b\x08"
"\x0a\x76\x8b\x9d\xc3\x0e\x64\x40\xa1\x03\x0a\xcf\x39\x13\xa5\x78\x65\xa2"
"\x77\xce\x60\xe4\x2c\xe3\xb6\xb4\x3b\x4e\x18\xd5\xb5\x3f\xa1\x9f\x94\x69"
"\x01\x59\x04\xc7\xbb\xde\xf5\xd8\x90\x1f\xff\x46\x14\x77\xe0\x06\xa7\xaa"
"\x3f\x5e\xb4\x80\x09\x82\xcb\x62\x93\x5c\x26\x49\x00\xd9\xb2\xeb\xf2\x7c"
"\xd9\x99\x3f\xce\x0b\x10\x71\xd0\x51\x69\xf3\x38\x60\x91\xcf\xc4\x7d\xe1"
"\x09\xf9\x73\x47\x43\x4b\x79\x06\x40\x76\xe2\xb6\xea\x28\xd6\x9e\xbb\x75"
"\x0d";

static const char license[4] = "GPL";

static void execute_one(void)
{
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 5,
.insns = (unsigned long long) program,
.license = (unsigned long long) license,
};
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = htons(0x4001),
.sin_addr.s_addr = inet_addr("172.20.20.180")
};
const struct msghdr msg = {
.msg_name = &addr,
.msg_namelen = sizeof(addr),
};
const int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, 72);
const int sock_fd = socket(PF_INET, SOCK_STREAM, 0);
alarm(3);
while (1) {
sendmsg(sock_fd, &msg, MSG_OOB | MSG_PROBE | MSG_CONFIRM | MSG_FASTOPEN);
setsockopt(sock_fd, SOL_SOCKET, SO_ATTACH_BPF, &bpf_fd, sizeof(bpf_fd));
}
}

int main(int argc, char *argv[])
{
if (unshare(CLONE_NEWNET))
return 1;
initialize_netdevices();
execute_one();
return 0;
}
------------------------------------------------------------

I don't know what this bpf program is doing, but I suspect that this bpf
program somehow involves PF_INET6 socket without taking a reference to
the net namespace which this bpf program runs.

Below is debug printk() patch for 5.17 which I used for tracing.

------------------------------------------------------------
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 5b61c462e534..a2fd96da8e21 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -178,6 +178,7 @@ struct net {
#if IS_ENABLED(CONFIG_SMC)
struct netns_smc smc;
#endif
+ struct list_head struct_net_users;
} __randomize_layout;

#include <linux/seq_file_net.h>
@@ -243,41 +244,16 @@ void ipx_unregister_sysctl(void);
void __put_net(struct net *net);

/* Try using get_net_track() instead */
-static inline struct net *get_net(struct net *net)
-{
- refcount_inc(&net->ns.count);
- return net;
-}
+extern struct net *get_net(struct net *net);

-static inline struct net *maybe_get_net(struct net *net)
-{
- /* Used when we know struct net exists but we
- * aren't guaranteed a previous reference count
- * exists. If the reference count is zero this
- * function fails and returns NULL.
- */
- if (!refcount_inc_not_zero(&net->ns.count))
- net = NULL;
- return net;
-}
+extern struct net *maybe_get_net(struct net *net);

/* Try using put_net_track() instead */
-static inline void put_net(struct net *net)
-{
- if (refcount_dec_and_test(&net->ns.count))
- __put_net(net);
-}
+extern void put_net(struct net *net);

-static inline
-int net_eq(const struct net *net1, const struct net *net2)
-{
- return net1 == net2;
-}
+extern int net_eq(const struct net *net1, const struct net *net2);

-static inline int check_net(const struct net *net)
-{
- return refcount_read(&net->ns.count) != 0;
-}
+extern int check_net(const struct net *net);

void net_drop_ns(void *);

diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 29e41ff3ec93..df89ff3dfa41 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -118,7 +118,7 @@ static inline void __reqsk_free(struct request_sock *req)
if (req->rsk_listener)
sock_put(req->rsk_listener);
kfree(req->saved_syn);
- kmem_cache_free(req->rsk_ops->slab, req);
+ //kmem_cache_free(req->rsk_ops->slab, req);
}

static inline void reqsk_free(struct request_sock *req)
diff --git a/include/net/sock.h b/include/net/sock.h
index 50aecd28b355..d2f386f9aa73 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -540,6 +540,7 @@ struct sock {
#endif
struct rcu_head sk_rcu;
netns_tracker ns_tracker;
+ struct list_head struct_net_user;
};

enum sk_pacing {
@@ -2704,17 +2705,10 @@ static inline void sk_eat_skb(struct sock *sk, struct sk_buff *skb)
__kfree_skb(skb);
}

-static inline
-struct net *sock_net(const struct sock *sk)
-{
- return read_pnet(&sk->sk_net);
-}
-
-static inline
-void sock_net_set(struct sock *sk, struct net *net)
-{
- write_pnet(&sk->sk_net, net);
-}
+extern struct net *sock_net(const struct sock *sk);
+extern void sock_net_set(struct sock *sk, struct net *net);
+extern void sock_net_start_tracking(struct sock *sk, struct net *net);
+extern void sock_net_end_tracking(struct sock *sk);

static inline bool
skb_sk_is_prefetched(struct sk_buff *skb)
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index a5b5bb99c644..cf4e8b224654 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -26,6 +26,8 @@
#include <net/net_namespace.h>
#include <net/netns/generic.h>

+DEFINE_SPINLOCK(net_users_lock);
+
/*
* Our network namespace constructor/destructor lists
*/
@@ -50,6 +52,7 @@ struct net init_net = {
#ifdef CONFIG_KEYS
.key_domain = &init_net_key_domain,
#endif
+ .struct_net_users = LIST_HEAD_INIT(init_net.struct_net_users),
};
EXPORT_SYMBOL(init_net);

@@ -406,6 +409,7 @@ static struct net *net_alloc(void)
net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
if (!net)
goto out_free;
+ INIT_LIST_HEAD(&net->struct_net_users);

#ifdef CONFIG_KEYS
net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL);
@@ -432,7 +436,7 @@ static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
+ //kmem_cache_free(net_cachep, net);
}
}

@@ -637,8 +641,46 @@ EXPORT_SYMBOL(net_ns_barrier);

static DECLARE_WORK(net_cleanup_work, cleanup_net);

+struct to_be_destroyed_net {
+ struct list_head list;
+ struct net *net;
+};
+
+static LIST_HEAD(to_be_destroyed_net_list);
+static DEFINE_SPINLOCK(to_be_destroyed_net_list_lock);
+
+bool is_to_be_destroyed_net(struct net *net)
+{
+ unsigned long flags;
+ struct to_be_destroyed_net *entry;
+ bool found = false;
+
+ spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
+ list_for_each_entry(entry, &to_be_destroyed_net_list, list) {
+ if (entry->net == net) {
+ found = true;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
+ return found;
+}
+EXPORT_SYMBOL(is_to_be_destroyed_net);
+
void __put_net(struct net *net)
{
+ struct to_be_destroyed_net *entry = kzalloc(sizeof(*entry), GFP_ATOMIC | __GFP_NOWARN);
+ unsigned long flags;
+
+ if (entry) {
+ entry->net = net;
+ spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
+ list_add_tail(&entry->list, &to_be_destroyed_net_list);
+ spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
+ }
+ pr_info("Releasing net=%px net->ns.count=%d in_use=%d\n",
+ net, refcount_read(&net->ns.count), sock_inuse_get(net));
+ dump_stack();
ref_tracker_dir_exit(&net->refcnt_tracker);
/* Cleanup the network namespace in process context */
if (llist_add(&net->cleanup_list, &cleanup_list))
@@ -1382,4 +1424,113 @@ const struct proc_ns_operations netns_operations = {
.install = netns_install,
.owner = netns_owner,
};
+
+struct net *get_net(struct net *net)
+{
+ refcount_inc(&net->ns.count);
+ if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(get_net);
+
+struct net *maybe_get_net(struct net *net)
+{
+ /* Used when we know struct net exists but we
+ * aren't guaranteed a previous reference count
+ * exists. If the reference count is zero this
+ * function fails and returns NULL.
+ */
+ if (!refcount_inc_not_zero(&net->ns.count))
+ net = NULL;
+ else if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(maybe_get_net);
+
+void put_net(struct net *net)
+{
+ if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ if (refcount_dec_and_test(&net->ns.count))
+ __put_net(net);
+}
+EXPORT_SYMBOL(put_net);
+
+int net_eq(const struct net *net1, const struct net *net2)
+{
+ return net1 == net2;
+}
+EXPORT_SYMBOL(net_eq);
+
+int check_net(const struct net *net)
+{
+ return refcount_read(&net->ns.count) != 0;
+}
+EXPORT_SYMBOL(check_net);
+
+void sock_net_start_tracking(struct sock *sk, struct net *net)
+{
+ unsigned long flags;
+
+ if (net == &init_net)
+ return;
+ spin_lock_irqsave(&net_users_lock, flags);
+ list_add_tail(&sk->struct_net_user, &net->struct_net_users);
+ spin_unlock_irqrestore(&net_users_lock, flags);
+}
+
+void sock_net_end_tracking(struct sock *sk)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&net_users_lock, flags);
+ list_del(&sk->struct_net_user);
+ spin_unlock_irqrestore(&net_users_lock, flags);
+}
+
+struct net *sock_net(const struct sock *sk)
+{
+ struct net *net = read_pnet(&sk->sk_net);
+ unsigned long flags;
+ bool found = false;
+ struct sock *s;
+
+ if (net == &init_net)
+ return net;
+ spin_lock_irqsave(&net_users_lock, flags);
+ BUG_ON(!net->struct_net_users.next);
+ BUG_ON(!net->struct_net_users.prev);
+ list_for_each_entry(s, &net->struct_net_users, struct_net_user) {
+ BUG_ON(!s->struct_net_user.next);
+ BUG_ON(!s->struct_net_user.prev);
+ if (s == sk) {
+ found = true;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(&net_users_lock, flags);
+ if (!found) {
+ pr_info("sock=%px is accessing untracked net=%px\n", sk, net);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(sock_net);
+
+void sock_net_set(struct sock *sk, struct net *net)
+{
+ write_pnet(&sk->sk_net, net);
+}
+EXPORT_SYMBOL(sock_net_set);
+
#endif
diff --git a/net/core/sock.c b/net/core/sock.c
index 6eb174805bf0..3c303117e3bb 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1904,6 +1904,7 @@ static void sock_copy(struct sock *nsk, const struct sock *osk)
nsk->sk_security = sptr;
security_sk_clone(osk, nsk);
#endif
+ sock_net_start_tracking(nsk, read_pnet(&nsk->sk_net));
}

static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
@@ -1953,10 +1954,12 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
cgroup_sk_free(&sk->sk_cgrp_data);
mem_cgroup_sk_free(sk);
security_sk_free(sk);
+ /*
if (slab != NULL)
kmem_cache_free(slab, sk);
else
kfree(sk);
+ */
module_put(owner);
}

@@ -1989,6 +1992,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
sock_inuse_add(net, 1);
}

+ sock_net_start_tracking(sk, net);
sock_net_set(sk, net);
refcount_set(&sk->sk_wmem_alloc, 1);

diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 20cf4a98c69d..412bee1dc9cb 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -433,6 +433,7 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req)
TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX);
}

+extern bool is_to_be_destroyed_net(struct net *net);

/**
* tcp_retransmit_timer() - The TCP retransmit timeout handler
@@ -453,6 +454,13 @@ void tcp_retransmit_timer(struct sock *sk)
struct request_sock *req;
struct sk_buff *skb;

+ if (is_to_be_destroyed_net(net)) {
+ pr_info("BUG: Trying to access destroyed net=%px sk=%px\n", net, sk);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ WARN_ON(1);
+ }
+
req = rcu_dereference_protected(tp->fastopen_rsk,
lockdep_sock_is_held(sk));
if (req) {
@@ -636,6 +644,7 @@ static void tcp_write_timer(struct timer_list *t)
struct inet_connection_sock *icsk =
from_timer(icsk, t, icsk_retransmit_timer);
struct sock *sk = &icsk->icsk_inet.sk;
+ struct net *net = sock_net(sk);

bh_lock_sock(sk);
if (!sock_owned_by_user(sk)) {
@@ -647,6 +656,11 @@ static void tcp_write_timer(struct timer_list *t)
}
bh_unlock_sock(sk);
sock_put(sk);
+ if (is_to_be_destroyed_net(net)) {
+ pr_info("INFO: About to destroy net=%px sk=%px\n", net, sk);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ }
}

void tcp_syn_ack_timeout(const struct request_sock *req)
------------------------------------------------------------

And below is console output with this printk() patch.

------------------------------------------------------------
[ 83.642910][ T2875] net_namespace: net=ffff888036278000 count=2
[ 83.645415][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.648311][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.651893][ T2875] Call Trace:
[ 83.653239][ T2875] <TASK>
[ 83.654540][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.656428][ T2875] get_net.cold+0x21/0x26
[ 83.658194][ T2875] sk_alloc+0x1ca/0x8a0
[ 83.659979][ T2875] __netlink_create+0x44/0x160
[ 83.662246][ T2875] netlink_create+0x210/0x310
[ 83.664146][ T2875] ? do_set_master+0x100/0x100
[ 83.666538][ T2875] __sock_create+0x20e/0x4f0
[ 83.668648][ T2875] __sys_socket+0x6f/0x140
[ 83.670597][ T2875] __x64_sys_socket+0x1a/0x20
[ 83.672385][ T2875] do_syscall_64+0x35/0xb0
[ 83.674069][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.676201][ T2875] RIP: 0033:0x7fbbed5067db
[ 83.677873][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 83.685279][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 83.688515][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 83.691782][ T2875] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010
[ 83.694835][ T2875] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fbbed617d50
[ 83.697960][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 000055a16962f410
[ 83.701245][ T2875] R13: 00007ffd7a1e7810 R14: 0000000000000000 R15: 0000000000000000
[ 83.704951][ T2875] </TASK>
[ 83.708603][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.712187][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.715235][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.718777][ T2875] Call Trace:
[ 83.720083][ T2875] <TASK>
[ 83.721401][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.723313][ T2875] get_net.cold+0x21/0x26
[ 83.725388][ T2875] get_proc_task_net+0x99/0x1c0
[ 83.727321][ T2875] proc_tgid_net_lookup+0x21/0x60
[ 83.729327][ T2875] __lookup_slow+0x146/0x280
[ 83.731453][ T2875] walk_component+0x1f2/0x2a0
[ 83.733426][ T2875] path_lookupat.isra.0+0xc4/0x270
[ 83.735638][ T2875] filename_lookup+0x103/0x250
[ 83.737518][ T2875] ? unuse_pde+0x50/0x50
[ 83.739230][ T2875] ? simple_attr_release+0x20/0x20
[ 83.741365][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 83.746650][ T2875] user_path_at_empty+0x42/0x60
[ 83.748679][ T2875] do_faccessat+0xd5/0x490
[ 83.750698][ T2875] do_syscall_64+0x35/0xb0
[ 83.752750][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.755147][ T2875] RIP: 0033:0x7fbbed4f416b
[ 83.756987][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
[ 83.764201][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
[ 83.767625][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
[ 83.770815][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
[ 83.773982][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.777202][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.780346][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.783686][ T2875] </TASK>
[ 83.785743][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.788711][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.791774][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.795370][ T2875] Call Trace:
[ 83.796779][ T2875] <TASK>
[ 83.798094][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.800045][ T2875] put_net.cold+0x1f/0x24
[ 83.802444][ T2875] proc_tgid_net_lookup+0x4b/0x60
[ 83.804936][ T2875] __lookup_slow+0x146/0x280
[ 83.806890][ T2875] walk_component+0x1f2/0x2a0
[ 83.808840][ T2875] path_lookupat.isra.0+0xc4/0x270
[ 83.810945][ T2875] filename_lookup+0x103/0x250
[ 83.812928][ T2875] ? unuse_pde+0x50/0x50
[ 83.814760][ T2875] ? simple_attr_release+0x20/0x20
[ 83.817416][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 83.819696][ T2875] user_path_at_empty+0x42/0x60
[ 83.822173][ T2875] do_faccessat+0xd5/0x490
[ 83.823958][ T2875] do_syscall_64+0x35/0xb0
[ 83.825808][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.827975][ T2875] RIP: 0033:0x7fbbed4f416b
[ 83.829676][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
[ 83.836926][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
[ 83.840089][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
[ 83.843171][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
[ 83.846444][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.849481][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.852857][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.855888][ T2875] </TASK>
[ 83.857759][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.860508][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.863611][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.867655][ T2875] Call Trace:
[ 83.869162][ T2875] <TASK>
[ 83.870467][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.872611][ T2875] get_net.cold+0x21/0x26
[ 83.874572][ T2875] sk_alloc+0x1ca/0x8a0
[ 83.876337][ T2875] unix_create1+0x81/0x2c0
[ 83.878159][ T2875] unix_create+0x9a/0x130
[ 83.880015][ T2875] __sock_create+0x20e/0x4f0
[ 83.881874][ T2875] __sys_socket+0x6f/0x140
[ 83.883730][ T2875] __x64_sys_socket+0x1a/0x20
[ 83.886127][ T2875] do_syscall_64+0x35/0xb0
[ 83.888040][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.890433][ T2875] RIP: 0033:0x7fbbed5067db
[ 83.892409][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 83.899534][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 83.903158][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed5067db
[ 83.906369][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 83.909364][ T2875] RBP: 0000000000000002 R08: 000000000000000d R09: 0078696e752f7465
[ 83.912373][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.915860][ T2875] R13: 00007ffd7a1e64f0 R14: 0000000000000001 R15: 0000000000000000
[ 83.919121][ T2875] </TASK>
[ 83.921478][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.924516][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.927520][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.931006][ T2875] Call Trace:
[ 83.932385][ T2875] <TASK>
[ 83.933651][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.935827][ T2875] put_net.cold+0x1f/0x24
[ 83.937612][ T2875] __sk_destruct+0x1f9/0x3b0
[ 83.939531][ T2875] sk_destruct+0xa6/0xc0
[ 83.941428][ T2875] __sk_free+0x5a/0x1b0
[ 83.943189][ T2875] sk_free+0x6b/0x90
[ 83.944884][ T2875] unix_release_sock+0x4d4/0x6d0
[ 83.946887][ T2875] unix_release+0x2d/0x40
[ 83.948674][ T2875] __sock_release+0x47/0xd0
[ 83.950652][ T2875] ? __sock_release+0xd0/0xd0
[ 83.952626][ T2875] sock_close+0x18/0x20
[ 83.954491][ T2875] __fput+0x117/0x450
[ 83.956241][ T2875] task_work_run+0x75/0xd0
[ 83.958071][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 83.960365][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 83.962612][ T2875] do_syscall_64+0x42/0xb0
[ 83.964521][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.967103][ T2875] RIP: 0033:0x7fbbed4f937b
[ 83.968976][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 83.976315][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 83.979599][ T2875] RAX: 0000000000000000 RBX: 0000000000001802 RCX: 00007fbbed4f937b
[ 83.982751][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 83.985979][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.989107][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 83.992365][ T2875] R13: 00007ffd7a1e762c R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.995633][ T2875] </TASK>
[ 83.998686][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.001243][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.005041][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.008594][ T2875] Call Trace:
[ 84.010029][ T2875] <TASK>
[ 84.011797][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.013820][ T2875] get_net.cold+0x21/0x26
[ 84.016049][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.018006][ T2875] unix_create1+0x81/0x2c0
[ 84.019853][ T2875] unix_create+0x9a/0x130
[ 84.021779][ T2875] __sock_create+0x20e/0x4f0
[ 84.023672][ T2875] __sys_socket+0x6f/0x140
[ 84.025544][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.027473][ T2875] do_syscall_64+0x35/0xb0
[ 84.029310][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.031710][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.033512][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.041069][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.044342][ T2875] RAX: ffffffffffffffda RBX: 000000000000780a RCX: 00007fbbed5067db
[ 84.047336][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 84.050451][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 000055a16963001a
[ 84.053617][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.056885][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.059933][ T2875] </TASK>
[ 84.061977][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.064619][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.067684][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.071207][ T2875] Call Trace:
[ 84.072586][ T2875] <TASK>
[ 84.073835][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.075862][ T2875] put_net.cold+0x1f/0x24
[ 84.077663][ T2875] __sk_destruct+0x1f9/0x3b0
[ 84.079540][ T2875] sk_destruct+0xa6/0xc0
[ 84.081437][ T2875] __sk_free+0x5a/0x1b0
[ 84.085862][ T2875] sk_free+0x6b/0x90
[ 84.087628][ T2875] unix_release_sock+0x4d4/0x6d0
[ 84.089575][ T2875] unix_release+0x2d/0x40
[ 84.091333][ T2875] __sock_release+0x47/0xd0
[ 84.093107][ T2875] ? __sock_release+0xd0/0xd0
[ 84.095003][ T2875] sock_close+0x18/0x20
[ 84.096801][ T2875] __fput+0x117/0x450
[ 84.098375][ T2875] task_work_run+0x75/0xd0
[ 84.100983][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 84.103425][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 84.105626][ T2875] do_syscall_64+0x42/0xb0
[ 84.107471][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.109773][ T2875] RIP: 0033:0x7fbbed4f937b
[ 84.111613][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 84.118931][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 84.122539][ T2875] RAX: 0000000000000000 RBX: 000000000000780a RCX: 00007fbbed4f937b
[ 84.125766][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 84.129038][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 000055a16963001a
[ 84.132217][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.135522][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.138787][ T2875] </TASK>
[ 84.141378][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.143692][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.146720][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.150247][ T2875] Call Trace:
[ 84.151721][ T2875] <TASK>
[ 84.153004][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.154955][ T2875] get_net.cold+0x21/0x26
[ 84.156772][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.158541][ T2875] unix_create1+0x81/0x2c0
[ 84.160417][ T2875] unix_create+0x9a/0x130
[ 84.162226][ T2875] __sock_create+0x20e/0x4f0
[ 84.164112][ T2875] __sys_socket+0x6f/0x140
[ 84.166350][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.168367][ T2875] do_syscall_64+0x35/0xb0
[ 84.170319][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.172755][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.174630][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.181843][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.185360][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 84.188587][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 84.191962][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0000000000000000
[ 84.195151][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.198247][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.201606][ T2875] </TASK>
[ 84.203465][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.206040][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.209034][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.212497][ T2875] Call Trace:
[ 84.213878][ T2875] <TASK>
[ 84.215443][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.217370][ T2875] put_net.cold+0x1f/0x24
[ 84.219202][ T2875] __sk_destruct+0x1f9/0x3b0
[ 84.221245][ T2875] sk_destruct+0xa6/0xc0
[ 84.223004][ T2875] __sk_free+0x5a/0x1b0
[ 84.224776][ T2875] sk_free+0x6b/0x90
[ 84.226342][ T2875] unix_release_sock+0x4d4/0x6d0
[ 84.228268][ T2875] unix_release+0x2d/0x40
[ 84.230137][ T2875] __sock_release+0x47/0xd0
[ 84.231923][ T2875] ? __sock_release+0xd0/0xd0
[ 84.233765][ T2875] sock_close+0x18/0x20
[ 84.236000][ T2875] __fput+0x117/0x450
[ 84.237704][ T2875] task_work_run+0x75/0xd0
[ 84.239496][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 84.242142][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 84.244474][ T2875] do_syscall_64+0x42/0xb0
[ 84.246441][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.248704][ T2875] RIP: 0033:0x7fbbed4f937b
[ 84.250500][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 84.257987][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 84.261471][ T2875] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fbbed4f937b
[ 84.264691][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 84.267780][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0000000000000000
[ 84.271032][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.274208][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.277498][ T2875] </TASK>
[ 84.287045][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.289271][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.292514][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.296133][ T2875] Call Trace:
[ 84.297568][ T2875] <TASK>
[ 84.298859][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.300918][ T2875] get_net.cold+0x21/0x26
[ 84.302637][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.304653][ T2875] inet_create+0x21e/0x7e0
[ 84.306778][ T2875] __sock_create+0x20e/0x4f0
[ 84.308690][ T2875] __sys_socket+0x6f/0x140
[ 84.310513][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.312659][ T2875] do_syscall_64+0x35/0xb0
[ 84.314573][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.316905][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.318820][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.325864][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.329133][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 84.332546][ T2875] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
[ 84.336076][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
[ 84.339372][ T2875] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.342502][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.345680][ T2875] </TASK>
[ 84.353592][ C0] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.358423][ C0] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=3
[ 84.363617][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.366717][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.370399][ C0] Call Trace:
[ 84.371855][ C0] <IRQ>
[ 84.373042][ C0] dump_stack_lvl+0xcd/0x134
[ 84.374866][ C0] sock_net+0x118/0x160
[ 84.376672][ C0] inet_ehash_insert+0x98/0x490
[ 84.378737][ C0] inet_csk_reqsk_queue_hash_add+0x5b/0x80
[ 84.381582][ C0] tcp_conn_request+0x1082/0x14a0
[ 84.383746][ C0] ? tcp_v4_conn_request+0x6c/0x120
[ 84.386019][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.388249][ C0] tcp_v4_conn_request+0x6c/0x120
[ 84.390356][ C0] tcp_v6_conn_request+0x157/0x1d0
[ 84.392458][ C0] tcp_rcv_state_process+0x443/0x1f20
[ 84.394725][ C0] ? tcp_v4_do_rcv+0x1b5/0x600
[ 84.396681][ C0] tcp_v4_do_rcv+0x1b5/0x600
[ 84.398620][ C0] tcp_v4_rcv+0x1bad/0x1de0
[ 84.400791][ C0] ip_protocol_deliver_rcu+0x52/0x630
[ 84.403773][ C0] ip_local_deliver_finish+0xb4/0x1d0
[ 84.406060][ C0] ip_local_deliver+0xa7/0x320
[ 84.408075][ C0] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.410374][ C0] ip_rcv_finish+0x108/0x170
[ 84.412225][ C0] ip_rcv+0x69/0x2f0
[ 84.413859][ C0] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.416510][ C0] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.418949][ C0] __netif_receive_skb+0x24/0xa0
[ 84.421102][ C0] process_backlog+0x11d/0x320
[ 84.422978][ C0] __napi_poll+0x3d/0x3e0
[ 84.424808][ C0] net_rx_action+0x34e/0x480
[ 84.426713][ C0] __do_softirq+0xde/0x539
[ 84.428458][ C0] ? ip_finish_output2+0x401/0x1060
[ 84.430566][ C0] do_softirq+0xb1/0xf0
[ 84.432611][ C0] </IRQ>
[ 84.433909][ C0] <TASK>
[ 84.435285][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 84.437418][ C0] ip_finish_output2+0x42f/0x1060
[ 84.439382][ C0] ? __ip_finish_output+0x471/0x840
[ 84.443928][ C0] __ip_finish_output+0x471/0x840
[ 84.445988][ C0] ? write_comp_data+0x1c/0x70
[ 84.448014][ C0] ip_finish_output+0x32/0x140
[ 84.449946][ C0] ip_output+0xb2/0x3b0
[ 84.451881][ C0] ? __ip_finish_output+0x840/0x840
[ 84.453979][ C0] ip_local_out+0x6e/0xd0
[ 84.455733][ C0] __ip_queue_xmit+0x306/0x950
[ 84.457580][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.459761][ C0] ? sock_net+0x11d/0x160
[ 84.461577][ C0] __tcp_transmit_skb+0x845/0x1380
[ 84.463573][ C0] tcp_connect+0xb02/0x1c80
[ 84.465713][ C0] ? preempt_schedule_common+0x32/0x80
[ 84.468040][ C0] tcp_v4_connect+0x72c/0x820
[ 84.470357][ C0] __inet_stream_connect+0x157/0x630
[ 84.473029][ C0] ? kmem_cache_alloc_trace+0x556/0x690
[ 84.475392][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.477659][ C0] tcp_sendmsg_locked+0xf16/0x1440
[ 84.479765][ C0] ? __local_bh_enable_ip+0x72/0xd0
[ 84.481880][ C0] tcp_sendmsg+0x2b/0x40
[ 84.483651][ C0] inet_sendmsg+0x45/0x70
[ 84.485640][ C0] ? inet_send_prepare+0x2e0/0x2e0
[ 84.487807][ C0] ____sys_sendmsg+0x390/0x3e0
[ 84.489794][ C0] ? debug_object_activate+0x193/0x210
[ 84.491915][ C0] ___sys_sendmsg+0x97/0xe0
[ 84.493713][ C0] ? __lock_acquire+0x3b2/0x3160
[ 84.495653][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.497772][ C0] ? __fget_light+0x99/0xe0
[ 84.499582][ C0] __sys_sendmsg+0x88/0x100
[ 84.501976][ C0] do_syscall_64+0x35/0xb0
[ 84.503841][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.506292][ C0] RIP: 0033:0x7fbbed5ec0f7
[ 84.508154][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 84.515353][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 84.518867][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 84.522178][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 84.525355][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
[ 84.528392][ C0] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.531766][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.535012][ C0] </TASK>
[ 84.554710][ C0] net_namespace: net=ffff888036278000 count=3
[ 84.557308][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.560308][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.563719][ C0] Call Trace:
[ 84.565561][ C0] <IRQ>
[ 84.566936][ C0] dump_stack_lvl+0xcd/0x134
[ 84.569111][ C0] put_net.cold+0x1f/0x24
[ 84.571071][ C0] __sk_destruct+0x1f9/0x3b0
[ 84.572995][ C0] sk_destruct+0xa6/0xc0
[ 84.574855][ C0] __sk_free+0x5a/0x1b0
[ 84.576633][ C0] sk_free+0x6b/0x90
[ 84.578324][ C0] deferred_put_nlk_sk+0xb7/0x150
[ 84.580383][ C0] rcu_core+0x37d/0xa00
[ 84.582144][ C0] ? rcu_core+0x31e/0xa00
[ 84.583970][ C0] __do_softirq+0xde/0x539
[ 84.586435][ C0] ? tcp_sendmsg+0x1d/0x40
[ 84.588290][ C0] do_softirq+0xb1/0xf0
[ 84.590022][ C0] </IRQ>
[ 84.591451][ C0] <TASK>
[ 84.592751][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 84.594866][ C0] tcp_sendmsg+0x1d/0x40
[ 84.596737][ C0] inet_sendmsg+0x45/0x70
[ 84.598573][ C0] ? inet_send_prepare+0x2e0/0x2e0
[ 84.600679][ C0] ____sys_sendmsg+0x390/0x3e0
[ 84.602707][ C0] ___sys_sendmsg+0x97/0xe0
[ 84.604712][ C0] ? __lock_acquire+0x3b2/0x3160
[ 84.607154][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.609429][ C0] ? __fget_light+0x99/0xe0
[ 84.611412][ C0] __sys_sendmsg+0x88/0x100
[ 84.613325][ C0] do_syscall_64+0x35/0xb0
[ 84.615297][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.617704][ C0] RIP: 0033:0x7fbbed5ec0f7
[ 84.619846][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 84.627115][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 84.630656][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 84.633812][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 84.638113][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.641422][ C0] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.644856][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.648113][ C0] </TASK>
[ 84.745096][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.749028][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
[ 84.754738][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.757944][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.761531][ C2] Call Trace:
[ 84.762930][ C2] <IRQ>
[ 84.764209][ C2] dump_stack_lvl+0xcd/0x134
[ 84.766204][ C2] sock_net+0x118/0x160
[ 84.768239][ C2] __inet_lookup_established+0x127/0x360
[ 84.770835][ C2] tcp_v4_rcv+0xbae/0x1de0
[ 84.772780][ C2] ip_protocol_deliver_rcu+0x52/0x630
[ 84.775163][ C2] ip_local_deliver_finish+0xb4/0x1d0
[ 84.777395][ C2] ip_local_deliver+0xa7/0x320
[ 84.779347][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.781711][ C2] ip_rcv_finish+0x108/0x170
[ 84.783656][ C2] ip_rcv+0x69/0x2f0
[ 84.785609][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.787945][ C2] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.790338][ C2] __netif_receive_skb+0x24/0xa0
[ 84.792346][ C2] process_backlog+0x11d/0x320
[ 84.794431][ C2] __napi_poll+0x3d/0x3e0
[ 84.796592][ C2] net_rx_action+0x34e/0x480
[ 84.798469][ C2] __do_softirq+0xde/0x539
[ 84.800514][ C2] ? sock_setsockopt+0x103/0x19f0
[ 84.803153][ C2] do_softirq+0xb1/0xf0
[ 84.805116][ C2] </IRQ>
[ 84.806534][ C2] <TASK>
[ 84.807900][ C2] __local_bh_enable_ip+0xbf/0xd0
[ 84.810002][ C2] sock_setsockopt+0x103/0x19f0
[ 84.812178][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.814535][ C2] __sys_setsockopt+0x2d1/0x330
[ 84.816496][ C2] __x64_sys_setsockopt+0x22/0x30
[ 84.818633][ C2] do_syscall_64+0x35/0xb0
[ 84.820620][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.823211][ C2] RIP: 0033:0x7fbbed50677e
[ 84.825098][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 84.832280][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 84.835905][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
[ 84.839164][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 84.842605][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.845893][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
[ 84.849091][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.852527][ C2] </TASK>
[ 84.854068][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.858121][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
[ 84.863384][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.866705][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.870581][ C2] Call Trace:
[ 84.872201][ C2] <IRQ>
[ 84.873449][ C2] dump_stack_lvl+0xcd/0x134
[ 84.875838][ C2] sock_net+0x118/0x160
[ 84.877670][ C2] __inet_lookup_established+0x24f/0x360
[ 84.880054][ C2] tcp_v4_rcv+0xbae/0x1de0
[ 84.881976][ C2] ip_protocol_deliver_rcu+0x52/0x630
[ 84.884083][ C2] ip_local_deliver_finish+0xb4/0x1d0
[ 84.886449][ C2] ip_local_deliver+0xa7/0x320
[ 84.888449][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.890881][ C2] ip_rcv_finish+0x108/0x170
[ 84.893022][ C2] ip_rcv+0x69/0x2f0
[ 84.894792][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.897049][ C2] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.899296][ C2] __netif_receive_skb+0x24/0xa0
[ 84.901420][ C2] process_backlog+0x11d/0x320
[ 84.903470][ C2] __napi_poll+0x3d/0x3e0
[ 84.905410][ C2] net_rx_action+0x34e/0x480
[ 84.907399][ C2] __do_softirq+0xde/0x539
[ 84.909259][ C2] ? sock_setsockopt+0x103/0x19f0
[ 84.914100][ C2] do_softirq+0xb1/0xf0
[ 84.915946][ C2] </IRQ>
[ 84.917252][ C2] <TASK>
[ 84.918598][ C2] __local_bh_enable_ip+0xbf/0xd0
[ 84.920777][ C2] sock_setsockopt+0x103/0x19f0
[ 84.922691][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.924959][ C2] __sys_setsockopt+0x2d1/0x330
[ 84.926866][ C2] __x64_sys_setsockopt+0x22/0x30
[ 84.928837][ C2] do_syscall_64+0x35/0xb0
[ 84.930807][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.933016][ C2] RIP: 0033:0x7fbbed50677e
[ 84.934935][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 84.942206][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 84.945740][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
[ 84.948952][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 84.952352][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.955693][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
[ 84.958899][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.962649][ C2] </TASK>
[ 87.351519][ T2875] net_namespace: net=ffff888036278000 count=2
[ 87.354530][ T2875] CPU: 1 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 87.357551][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 87.361185][ T2875] Call Trace:
[ 87.362550][ T2875] <TASK>
[ 87.363891][ T2875] dump_stack_lvl+0xcd/0x134
[ 87.365794][ T2875] put_net.cold+0x1f/0x24
[ 87.367655][ T2875] free_nsproxy+0x1fe/0x2c0
[ 87.369737][ T2875] switch_task_namespaces+0x83/0x90
[ 87.372158][ T2875] do_exit+0x566/0x13d0
[ 87.374030][ T2875] ? find_held_lock+0x2b/0x80
[ 87.376164][ T2875] ? get_signal+0x1ef/0x16b0
[ 87.378079][ T2875] do_group_exit+0x51/0x100
[ 87.379966][ T2875] get_signal+0x257/0x16b0
[ 87.382106][ T2875] arch_do_signal_or_restart+0xeb/0x7f0
[ 87.384334][ T2875] exit_to_user_mode_prepare+0x189/0x280
[ 87.386547][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 87.388895][ T2875] do_syscall_64+0x42/0xb0
[ 87.390765][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 87.393095][ T2875] RIP: 0033:0x7fbbed5ec0f7
[ 87.395241][ T2875] Code: Unable to access opcode bytes at RIP 0x7fbbed5ec0cd.
[ 87.398613][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 87.402381][ T2875] RAX: ffffffffffffff96 RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 87.405723][ T2875] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 87.409023][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 87.412238][ T2875] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 87.415477][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 87.418590][ T2875] </TASK>
[ 87.427287][ T2875] a.out (2875) used greatest stack depth: 11320 bytes left
[ 234.697150][ C0] net_namespace: net=ffff888036278000 count=1
[ 234.710780][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 234.720528][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 234.727887][ C0] Call Trace:
[ 234.730895][ C0] <IRQ>
[ 234.734086][ C0] dump_stack_lvl+0xcd/0x134
[ 234.738276][ C0] put_net.cold+0x1f/0x24
[ 234.742162][ C0] __sk_destruct+0x1f9/0x3b0
[ 234.746326][ C0] sk_destruct+0xa6/0xc0
[ 234.749219][ C0] __sk_free+0x5a/0x1b0
[ 234.751159][ C0] sk_free+0x6b/0x90
[ 234.753239][ C0] tcp_write_timer+0x1ff/0x240
[ 234.755181][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.757290][ C0] call_timer_fn+0xe3/0x4f0
[ 234.759095][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.761341][ C0] run_timer_softirq+0x812/0xac0
[ 234.763337][ C0] __do_softirq+0xde/0x539
[ 234.765104][ C0] irq_exit_rcu+0xb6/0xf0
[ 234.766789][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 234.769139][ C0] </IRQ>
[ 234.770482][ C0] <TASK>
[ 234.771702][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 234.774065][ C0] RIP: 0010:default_idle+0xb/0x10
[ 234.776010][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 234.783374][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 234.785849][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
[ 234.789116][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 234.792254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 234.795720][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 234.798927][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 234.802563][ C0] default_idle_call+0x6a/0x260
[ 234.804592][ C0] do_idle+0x20c/0x260
[ 234.806332][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 234.808693][ C0] cpu_startup_entry+0x14/0x20
[ 234.810686][ C0] start_kernel+0x8f7/0x91e
[ 234.812538][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 234.815399][ C0] </TASK>
[ 234.816785][ C0] net_namespace: Releasing net=ffff888036278000 net->ns.count=0 in_use=0
[ 234.820358][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 234.823664][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 234.827160][ C0] Call Trace:
[ 234.828540][ C0] <IRQ>
[ 234.829812][ C0] dump_stack_lvl+0xcd/0x134
[ 234.831775][ C0] __put_net+0xc8/0x130
[ 234.834723][ C0] put_net+0x7d/0xb0
[ 234.836516][ C0] __sk_destruct+0x1f9/0x3b0
[ 234.838546][ C0] sk_destruct+0xa6/0xc0
[ 234.840453][ C0] __sk_free+0x5a/0x1b0
[ 234.842217][ C0] sk_free+0x6b/0x90
[ 234.844007][ C0] tcp_write_timer+0x1ff/0x240
[ 234.845938][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.848146][ C0] call_timer_fn+0xe3/0x4f0
[ 234.850145][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.852503][ C0] run_timer_softirq+0x812/0xac0
[ 234.855025][ C0] __do_softirq+0xde/0x539
[ 234.856908][ C0] irq_exit_rcu+0xb6/0xf0
[ 234.858712][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 234.860980][ C0] </IRQ>
[ 234.862279][ C0] <TASK>
[ 234.863598][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 234.865966][ C0] RIP: 0010:default_idle+0xb/0x10
[ 234.868109][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 234.875407][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 234.877869][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
[ 234.881349][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 234.885150][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 234.888442][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 234.891831][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 234.895041][ C0] default_idle_call+0x6a/0x260
[ 234.897019][ C0] do_idle+0x20c/0x260
[ 234.898782][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 234.901456][ C0] cpu_startup_entry+0x14/0x20
[ 234.903364][ C0] start_kernel+0x8f7/0x91e
[ 234.905180][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 234.907426][ C0] </TASK>
[ 234.909661][ C0] INFO: About to destroy net=ffff888036278000 sk=ffff888036058b80
[ 234.913082][ C0] sk->sk_family=2 sk->sk_prot_creator->name=TCP sk->sk_state=7 sk->sk_flags=0x301 net->ns.count=0
[ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
[ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
[ 260.317639][ C0] ------------[ cut here ]------------
[ 260.323152][ C0] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:461 tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.334901][ C0] Modules linked in:
[ 260.338356][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 260.342593][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 260.346821][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.349704][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 260.359054][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 260.362281][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
[ 260.365646][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 260.368691][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
[ 260.371828][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 260.375009][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
[ 260.378533][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 260.382408][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 260.385155][ C0] CR2: 00007fbbed4c8dc0 CR3: 000000000d765000 CR4: 00000000000506f0
[ 260.388406][ C0] Call Trace:
[ 260.389929][ C0] <IRQ>
[ 260.391386][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 260.393743][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 260.396147][ C0] ? ktime_get+0x2d3/0x400
[ 260.398064][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 260.400357][ C0] tcp_write_timer+0x19c/0x240
[ 260.402389][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.405068][ C0] call_timer_fn+0xe3/0x4f0
[ 260.407041][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.409308][ C0] run_timer_softirq+0x812/0xac0
[ 260.411613][ C0] __do_softirq+0xde/0x539
[ 260.413646][ C0] irq_exit_rcu+0xb6/0xf0
[ 260.415607][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 260.417882][ C0] </IRQ>
[ 260.419276][ C0] <TASK>
[ 260.420672][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 260.423039][ C0] RIP: 0010:default_idle+0xb/0x10
[ 260.425291][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 260.433105][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
[ 260.435589][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 260.438759][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 260.441945][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 260.445777][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 260.449093][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 260.452404][ C0] default_idle_call+0x6a/0x260
[ 260.454562][ C0] do_idle+0x20c/0x260
[ 260.456353][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 260.458887][ C0] cpu_startup_entry+0x14/0x20
[ 260.461152][ C0] start_kernel+0x8f7/0x91e
[ 260.463226][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 260.465718][ C0] </TASK>
[ 260.467111][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 260.469664][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 260.472684][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 260.476355][ C0] Call Trace:
[ 260.477800][ C0] <IRQ>
[ 260.479141][ C0] dump_stack_lvl+0xcd/0x134
[ 260.481197][ C0] panic+0x1d0/0x537
[ 260.482913][ C0] ? __warn.cold+0xb0/0x228
[ 260.484892][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.487190][ C0] __warn.cold+0xc6/0x228
[ 260.488963][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.491241][ C0] report_bug+0x188/0x1d0
[ 260.493109][ C0] handle_bug+0x3c/0x60
[ 260.495107][ C0] exc_invalid_op+0x14/0x70
[ 260.497016][ C0] asm_exc_invalid_op+0x12/0x20
[ 260.499037][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.501651][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 260.508760][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 260.511211][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
[ 260.514559][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 260.517942][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
[ 260.521127][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 260.524366][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
[ 260.528260][ C0] ? vprintk+0x88/0x90
[ 260.530145][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 260.532452][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 260.535072][ C0] ? ktime_get+0x2d3/0x400
[ 260.536958][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 260.539214][ C0] tcp_write_timer+0x19c/0x240
[ 260.541237][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.543627][ C0] call_timer_fn+0xe3/0x4f0
[ 260.545677][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.547973][ C0] run_timer_softirq+0x812/0xac0
[ 260.550053][ C0] __do_softirq+0xde/0x539
[ 260.551937][ C0] irq_exit_rcu+0xb6/0xf0
[ 260.553767][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 260.556439][ C0] </IRQ>
[ 260.557744][ C0] <TASK>
[ 260.559051][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 260.561515][ C0] RIP: 0010:default_idle+0xb/0x10
[ 260.563619][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 260.570866][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
[ 260.573255][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 260.577004][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 260.580254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 260.583366][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 260.586553][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 260.589759][ C0] default_idle_call+0x6a/0x260
[ 260.591774][ C0] do_idle+0x20c/0x260
[ 260.593618][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 260.596736][ C0] cpu_startup_entry+0x14/0x20
[ 260.598736][ C0] start_kernel+0x8f7/0x91e
[ 260.600659][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 260.603066][ C0] </TASK>
[ 260.605294][ C0] Kernel Offset: disabled
[ 260.607310][ C0] Rebooting in 10 seconds..
------------------------------------------------------------

Would you check where this PF_INET6 socket is created at and whether
this PF_INET6 socket is taking a reference to the net namespace?

Eric Dumazet

unread,
Apr 9, 2022, 12:46:34 PM4/9/22
to Tetsuo Handa, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
Try removing NFS from your kernel .config ? If your repro still works,
then another user of kernel TCP socket needs some care.

NFS maintainers and other folks are already working on fixing this issue,
which is partly caused by fs/file_table.c being able to delay fput(),
look at code in fput_many()

Kernel TCP sockets are tricky, they (for good reasons) do not take a
reference on the net namespace.

This also means that users of such sockets need to make sure the
various tcp timers have been completed,
as sk_stop_timer() is not using del_timer_sync()

Even after a synchronous fput(), there is no guarantee that another
cpu is not running some of the socket timers functions.

Eric Dumazet

unread,
Apr 9, 2022, 1:47:12 PM4/9/22
to Tetsuo Handa, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
On Sat, Apr 9, 2022 at 9:46 AM Eric Dumazet <edum...@google.com> wrote:
>
> On Sat, Apr 9, 2022 at 1:19 AM Tetsuo Handa
> <penguin...@i-love.sakura.ne.jp> wrote:
> >
> > Hello, bpf developers.
> >
> > syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).
>
>
> Try removing NFS from your kernel .config ? If your repro still works,
> then another user of kernel TCP socket needs some care.
>
> NFS maintainers and other folks are already working on fixing this issue,
> which is partly caused by fs/file_table.c being able to delay fput(),
> look at code in fput_many()
>
> Kernel TCP sockets are tricky, they (for good reasons) do not take a
> reference on the net namespace.
>
> This also means that users of such sockets need to make sure the
> various tcp timers have been completed,
> as sk_stop_timer() is not using del_timer_sync()
>
> Even after a synchronous fput(), there is no guarantee that another
> cpu is not running some of the socket timers functions.

So please add to your tree the NFS fix:

commit f00432063db1a0db484e85193eccc6845435b80e
Author: Trond Myklebust <trond.m...@hammerspace.com>
Date: Sun Apr 3 15:58:11 2022 -0400

SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

We must ensure that all sockets are closed before we call xprt_free()
and release the reference to the net namespace. The problem is that
calling fput() will defer closing the socket until delayed_fput() gets
called.
Let's fix the situation by allowing rpciod and the transport teardown
code (which runs on the system wq) to call __fput_sync(), and directly
close the socket.

Reported-by: Felix Fu <foy...@gmail.com>
Acked-by: Al Viro <vi...@zeniv.linux.org.uk>
Fixes: a73881c96d73 ("SUNRPC: Fix an Oops in udp_poll()")
Cc: sta...@vger.kernel.org # 5.1.x: 3be232f11a3c: SUNRPC: Prevent
immediate close+reconnect
Cc: sta...@vger.kernel.org # 5.1.x: 89f42494f92f: SUNRPC: Don't
call connect() more than once on a TCP socket
Cc: sta...@vger.kernel.org # 5.1.x
Signed-off-by: Trond Myklebust <trond.m...@hammerspace.com>

Then on top of that, add the following fix (I will formally submit
this one once back to work, Monday morning)

diff --git a/include/net/inet_connection_sock.h
b/include/net/inet_connection_sock.h
index 3908296d103fd2de9284adea64dba94fe6b8720f..e2c856ae4fdbef5bd3c7728e376786b804e2d4f1
100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -171,6 +171,7 @@ void inet_csk_init_xmit_timers(struct sock *sk,
void (*delack_handler)(struct timer_list *),
void (*keepalive_handler)(struct timer_list *));
void inet_csk_clear_xmit_timers(struct sock *sk);
+void inet_csk_clear_xmit_timers_sync(struct sock *sk);

static inline void inet_csk_schedule_ack(struct sock *sk)
{
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 1e5b53c2bb2670fc90b789e853458f5c86a00c27..aab83b766014d0a091a73bdc13376d9cdae99b27
100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -581,6 +581,17 @@ void inet_csk_clear_xmit_timers(struct sock *sk)
}
EXPORT_SYMBOL(inet_csk_clear_xmit_timers);

+void inet_csk_clear_xmit_timers_sync(struct sock *sk)
+{
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ icsk->icsk_pending = icsk->icsk_ack.pending = 0;
+
+ sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);
+ sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);
+ sk_stop_timer_sync(sk, &sk->sk_timer);
+}
+
void inet_csk_delete_keepalive_timer(struct sock *sk)
{
sk_stop_timer(sk, &sk->sk_timer);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e31cf137c6140f76f838b4a0dcddf9f104ad653b..3dacd202bf2af43c55ffe820c08316150d2018ea
100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2928,6 +2928,8 @@ void tcp_close(struct sock *sk, long timeout)
lock_sock(sk);
__tcp_close(sk, timeout);
release_sock(sk);
+ if (!sk->sk_net_refcnt)
+ inet_csk_clear_xmit_timers_sync(sk);
sock_put(sk);
}
EXPORT_SYMBOL(tcp_close);

Eric Dumazet

unread,
Apr 9, 2022, 1:55:53 PM4/9/22
to Tetsuo Handa, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
Side note: We will probably be able to revert this patch, that perhaps
was working around the real issue.

commit 4ee806d51176ba7b8ff1efd81f271d7252e03a1d
Author: Dan Streetman <ddst...@ieee.org>
Date: Thu Jan 18 16:14:26 2018 -0500

net: tcp: close sock if net namespace is exiting

When a tcp socket is closed, if it detects that its net namespace is
exiting, close immediately and do not wait for FIN sequence.

For normal sockets, a reference is taken to their net namespace, so it will
never exit while the socket is open. However, kernel sockets do not take a
reference to their net namespace, so it may begin exiting while the kernel
socket is still open. In this case if the kernel socket is a tcp socket,
it will stay open trying to complete its close sequence. The sock's dst(s)
hold a reference to their interface, which are all transferred to the
namespace's loopback interface when the real interfaces are taken down.
When the namespace tries to take down its loopback interface, it hangs
waiting for all references to the loopback interface to release, which
results in messages like:

unregister_netdevice: waiting for lo to become free. Usage count = 1

These messages continue until the socket finally times out and closes.
Since the net namespace cleanup holds the net_mutex while calling its
registered pernet callbacks, any new net namespace initialization is
blocked until the current net namespace finishes exiting.

After this change, the tcp socket notices the exiting net namespace, and
closes immediately, releasing its dst(s) and their reference to the
loopback interface, which lets the net namespace continue exiting.

Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1711407
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=97811
Signed-off-by: Dan Streetman <ddst...@canonical.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Tetsuo Handa

unread,
Apr 9, 2022, 8:38:33 PM4/9/22
to Eric Dumazet, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
On 2022/04/10 1:46, Eric Dumazet wrote:
> Try removing NFS from your kernel .config ? If your repro still works,
> then another user of kernel TCP socket needs some care.

Since my .config is CONFIG_NETWORK_FILESYSTEMS=n, NFS is irrelevant.

On 2022/04/10 2:47, Eric Dumazet wrote:
> So please add to your tree the NFS fix:
>
> commit f00432063db1a0db484e85193eccc6845435b80e
> Author: Trond Myklebust <trond.m...@hammerspace.com>
> Date: Sun Apr 3 15:58:11 2022 -0400
>
> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

Since CONFIG_SUNRPC depends on CONFIG_NETWORK_FILESYSTEMS=y,
this NFS fix will be also irrelevant.

On 2022/04/10 2:55, Eric Dumazet wrote:
> Side note: We will probably be able to revert this patch, that perhaps
> was working around the real issue.
>
> commit 4ee806d51176ba7b8ff1efd81f271d7252e03a1d
> Author: Dan Streetman <ddst...@ieee.org>
> Date: Thu Jan 18 16:14:26 2018 -0500
>
> net: tcp: close sock if net namespace is exiting

I uploaded my .config at https://I-love.SAKURA.ne.jp/tmp/config-5.17
so that you can try this reproducer using my .config file.

I haven't identified where the socket

[ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
[ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0

came from. Can you identify the location?

Tetsuo Handa

unread,
Apr 10, 2022, 1:39:51 AM4/10/22
to Eric Dumazet, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
On 2022/04/10 9:38, Tetsuo Handa wrote:
> I haven't identified where the socket
>
> [ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
> [ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
>
> came from. Can you identify the location?
>

It seems that a socket with sk->sk_net_refcnt=0 is created by unshare(CLONE_NEWNET)

------------------------------------------------------------
[ 84.507864][ T2877] sock: sk_alloc(): family=10 net=ffff88800ec88000 sk=ffff888104138c40 sk->sk_net_refcnt=0
[ 84.512117][ T2877] CPU: 0 PID: 2877 Comm: a.out Not tainted 5.17.0-dirty #756
[ 84.515103][ T2877] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.518916][ T2877] Call Trace:
[ 84.520346][ T2877] <TASK>
[ 84.521671][ T2877] dump_stack_lvl+0xcd/0x134
[ 84.523633][ T2877] sk_alloc.cold+0x26/0x2b
[ 84.525523][ T2877] inet6_create+0x215/0x840
[ 84.527600][ T2877] __sock_create+0x20e/0x4f0
[ 84.529576][ T2877] rds_tcp_listen_init+0x69/0x1f0
[ 84.531689][ T2877] ? do_raw_spin_unlock+0x50/0xd0
[ 84.533826][ T2877] ? _raw_spin_unlock+0x24/0x40
[ 84.535866][ T2877] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.538109][ T2877] ? __register_sysctl_table+0x384/0x6d0
[ 84.540459][ T2877] rds_tcp_init_net+0x154/0x300
[ 84.542512][ T2877] ? rds_tcp_exit+0x1f0/0x1f0
[ 84.544488][ T2877] ops_init+0x4e/0x210
[ 84.546237][ T2877] setup_net+0x22b/0x4a0
[ 84.548075][ T2877] copy_net_ns+0x1a3/0x380
[ 84.550132][ T2877] create_new_namespaces.isra.0+0x187/0x460
[ 84.552740][ T2877] unshare_nsproxy_namespaces+0xa2/0x120
[ 84.555040][ T2877] ksys_unshare+0x2fe/0x640
[ 84.556861][ T2877] __x64_sys_unshare+0x12/0x20
[ 84.558756][ T2877] do_syscall_64+0x35/0xb0
[ 84.561296][ T2877] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.563605][ T2877] RIP: 0033:0x7f9030c55e2b
[ 84.565323][ T2877] Code: 73 01 c3 48 8b 0d 65 c0 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 c0 0c 00 f7 d8 64 89 01 48
[ 84.572520][ T2877] RSP: 002b:00007fffddd1ef88 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
[ 84.576338][ T2877] RAX: ffffffffffffffda RBX: 000055c460627880 RCX: 00007f9030c55e2b
[ 84.579952][ T2877] RDX: 00007fffddd1f198 RSI: 00007fffddd1f188 RDI: 0000000040000000
[ 84.583656][ T2877] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f9030d67d50
[ 84.586688][ T2877] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c460627410
[ 84.589682][ T2877] R13: 00007fffddd1f180 R14: 0000000000000000 R15: 0000000000000000
[ 84.593111][ T2877] </TASK>
------------------------------------------------------------

and something creates a new socket by invoking sk_clone_lock().
But since sk->sk_net_refcnt=0, net->ns.count is not incremented when the new socket is created.

------------------------------------------------------------
[ 85.280860][ C0] sock: sk_clone_lock(): sk=ffff888104138c40 net=ffff88800ec88000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 85.286319][ C0] sock: sk_clone_lock(): newsk=ffff888104139880 net=ffff88800ec88000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 85.292668][ C0] CPU: 0 PID: 2877 Comm: a.out Not tainted 5.17.0-dirty #756
[ 85.295870][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 85.299371][ C0] Call Trace:
[ 85.300734][ C0] <IRQ>
[ 85.302049][ C0] dump_stack_lvl+0xcd/0x134
[ 85.303996][ C0] sk_clone_lock.cold+0x37/0x70
[ 85.305959][ C0] inet_csk_clone_lock+0x1f/0x110
[ 85.308022][ C0] tcp_create_openreq_child+0x2c/0x560
[ 85.310198][ C0] tcp_v4_syn_recv_sock+0x73/0x810
[ 85.312460][ C0] tcp_v6_syn_recv_sock+0x9cf/0x1020
[ 85.314549][ C0] ? find_held_lock+0x2b/0x80
[ 85.316714][ C0] ? write_comp_data+0x1c/0x70
[ 85.318581][ C0] ? write_comp_data+0x1c/0x70
[ 85.320685][ C0] ? tcp_parse_options+0xb4/0x660
[ 85.322841][ C0] tcp_check_req+0x31a/0xa60
[ 85.324750][ C0] tcp_v4_rcv+0x150f/0x1de0
[ 85.326518][ C0] ip_protocol_deliver_rcu+0x52/0x630
[ 85.328923][ C0] ip_local_deliver_finish+0xb4/0x1d0
[ 85.331626][ C0] ip_local_deliver+0xa7/0x320
[ 85.333702][ C0] ? ip_protocol_deliver_rcu+0x630/0x630
[ 85.335873][ C0] ip_rcv_finish+0x108/0x170
[ 85.337775][ C0] ip_rcv+0x69/0x2f0
[ 85.339461][ C0] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 85.341973][ C0] __netif_receive_skb_one_core+0x6a/0xa0
[ 85.344625][ C0] __netif_receive_skb+0x24/0xa0
[ 85.346637][ C0] process_backlog+0x11d/0x320
[ 85.348778][ C0] __napi_poll+0x3d/0x3e0
[ 85.350974][ C0] net_rx_action+0x34e/0x480
[ 85.353042][ C0] __do_softirq+0xde/0x539
[ 85.354871][ C0] ? sock_setsockopt+0x103/0x19f0
[ 85.356926][ C0] do_softirq+0xb1/0xf0
[ 85.358650][ C0] </IRQ>
[ 85.359962][ C0] <TASK>
[ 85.361518][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 85.364170][ C0] sock_setsockopt+0x103/0x19f0
[ 85.366200][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 85.368309][ C0] __sys_setsockopt+0x2d1/0x330
[ 85.370298][ C0] __x64_sys_setsockopt+0x22/0x30
[ 85.372428][ C0] do_syscall_64+0x35/0xb0
[ 85.374243][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 85.376538][ C0] RIP: 0033:0x7f9030c5677e
[ 85.378474][ C0] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 85.386716][ C0] RSP: 002b:00007fffddd1ef88 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 85.389991][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f9030c5677e
[ 85.393300][ C0] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 85.396636][ C0] RBP: 00007fffddd1ef9c R08: 0000000000000004 R09: 0000000000000000
[ 85.399672][ C0] R10: 00007fffddd1ef9c R11: 0000000000000217 R12: 00007fffddd1efa0
[ 85.403298][ C0] R13: 0000000000000003 R14: 00007fffddd1eff0 R15: 0000000000000000
[ 85.406311][ C0] </TASK>
------------------------------------------------------------

Then, when the original socket is close()d and destructed, net->ns.count is decremented.

------------------------------------------------------------
[ 204.164238][ C1] sock: __sk_destruct(): sk=ffff888104138c40 family=10 net=ffff88800ec88000 sk->sk_net_refcnt=0
------------------------------------------------------------

But the cloned socket is still there and TCP retransmit timer fires.

------------------------------------------------------------
[ 224.550620][ C0] BUG: Trying to access destroyed net=ffff88800ec88000 sk=ffff888104139880
[ 224.555669][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
[ 224.562340][ C0] ------------[ cut here ]------------
[ 224.564697][ C0] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:461 tcp_retransmit_timer.cold+0xdf/0xe6
[ 224.569214][ C0] Modules linked in:
[ 224.571197][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #756
[ 224.574659][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 224.578719][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 224.581467][ C0] Code: 10 48 c7 c7 08 9f ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 fe 24 f2 ff <0f> 0b e9 9c 40 5f ff e8 49 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 224.589620][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 224.592253][ C0] RAX: 0000000000000063 RBX: ffff88800ec88000 RCX: ffffffff842622c0
[ 224.595621][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 224.599035][ C0] RBP: ffff888104139880 R08: ffffffff81170398 R09: 0000000000000000
[ 224.602406][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 224.605791][ C0] R13: ffff888104139880 R14: ffff888104139918 R15: ffff888104139900
[ 224.609110][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.612767][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.615409][ C0] CR2: 00007f11279aa340 CR3: 000000000d735000 CR4: 00000000000506f0
[ 224.618937][ C0] Call Trace:
[ 224.620480][ C0] <IRQ>
[ 224.621889][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 224.624114][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 224.626512][ C0] ? ktime_get+0x2d3/0x400
[ 224.628463][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 224.630776][ C0] tcp_write_timer+0x19c/0x240
[ 224.632860][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 224.635251][ C0] call_timer_fn+0xe3/0x4f0
[ 224.637699][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 224.640055][ C0] run_timer_softirq+0x812/0xac0
[ 224.642270][ C0] __do_softirq+0xde/0x539
[ 224.644238][ C0] irq_exit_rcu+0xb6/0xf0
[ 224.646170][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 224.648543][ C0] </IRQ>
[ 224.650083][ C0] <TASK>
[ 224.651715][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 224.654189][ C0] RIP: 0010:default_idle+0xb/0x10
[ 224.656669][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d e3 08 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 224.663980][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 224.666737][ C0] RAX: 0000000000030067 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 224.670022][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 224.673311][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 224.676957][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 224.680232][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 224.683617][ C0] default_idle_call+0x6a/0x260
[ 224.685750][ C0] do_idle+0x20c/0x260
[ 224.687593][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 224.690199][ C0] cpu_startup_entry+0x14/0x20
[ 224.692248][ C0] start_kernel+0x8f7/0x91e
[ 224.694223][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 224.697014][ C0] </TASK>
------------------------------------------------------------

mptcp_subflow_create_socket() increments net->ns.count and sets
sk->sk_net_refcnt = 1, but e.g. rds_tcp_listen_init() does not?

------------------------------------------------------------
int mptcp_subflow_create_socket(struct sock *sk, struct socket **new_sock)
{
struct mptcp_subflow_context *subflow;
struct net *net = sock_net(sk);
struct socket *sf;
int err;

/* un-accepted server sockets can reach here - on bad configuration
* bail early to avoid greater trouble later
*/
if (unlikely(!sk->sk_socket))
return -EINVAL;

err = sock_create_kern(net, sk->sk_family, SOCK_STREAM, IPPROTO_TCP,
&sf);
if (err)
return err;

lock_sock(sf->sk);

/* the newly created socket has to be in the same cgroup as its parent */
mptcp_attach_cgroup(sk, sf->sk);

/* kernel sockets do not by default acquire net ref, but TCP timer
* needs it.
*/
sf->sk->sk_net_refcnt = 1;
get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
------------------------------------------------------------

Tetsuo Handa

unread,
Apr 10, 2022, 7:36:22 AM4/10/22
to Eric Dumazet, bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern, John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski, Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, t...@hlghospital.com, Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds, Trond Myklebust
On 2022/04/10 2:47, Eric Dumazet wrote:
> So please add to your tree the NFS fix:
>
> commit f00432063db1a0db484e85193eccc6845435b80e
> Author: Trond Myklebust <trond.m...@hammerspace.com>
> Date: Sun Apr 3 15:58:11 2022 -0400
>
> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

OK. Since the socket is sk->sk_net_refcnt=0, adding

> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index e31cf137c6140f76f838b4a0dcddf9f104ad653b..3dacd202bf2af43c55ffe820c08316150d2018ea
> 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -2928,6 +2928,8 @@ void tcp_close(struct sock *sk, long timeout)
> lock_sock(sk);
> __tcp_close(sk, timeout);
> release_sock(sk);
> + if (!sk->sk_net_refcnt)
> + inet_csk_clear_xmit_timers_sync(sk);
> sock_put(sk);
> }
> EXPORT_SYMBOL(tcp_close);

part indeed helped avoiding use-after-free increment on sock_net(sk).
But it seems to me that __sk_destruct() is forever not called.

----------------------------------------
[ 93.024086][ C1] sock: sk_clone_lock(): sk=ffff888110328000 net=ffff88810efb8000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 93.030257][ C1] sock: sk_clone_lock(): newsk=ffff888110350000 net=ffff88810efb8000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
(...snipped...)
[ 93.170750][ T740] TCP: Calling inet_csk_clear_xmit_timers_sync() on sock=ffff888110350000
(...snipped...)
[ 214.272450][ T8] TCP: Calling inet_csk_clear_xmit_timers_sync() on sock=ffff888110328000
(...snipped...)
[ 214.358528][ C3] sock: __sk_destruct(): sk=ffff888110328000 family=10 net=ffff88810efb8000 sk->sk_net_refcnt=0
----------------------------------------

If I do

- inet_csk_clear_xmit_timers_sync(sk);
+ write_pnet(&sk->sk_net, &init_net);

in this patch (i.e. just avoid use-after-free access), __sk_destruct() is called when timer fires.

----------------------------------------
[ 81.969884][ C0] sock: sk_clone_lock(): sk=ffff8880156f8000 net=ffff8881030d8000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 81.975329][ C0] sock: sk_clone_lock(): newsk=ffff8880156f8c40 net=ffff8881030d8000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
(...snipped...)
[ 82.078152][ T735] TCP: Resetting sk->sk_net on sock=ffff8880156f8c40
(...snipped...)
[ 203.937701][ T735] TCP: Resetting sk->sk_net on sock=ffff8880156f8000
(...snipped...)
[ 204.042570][ C1] sock: __sk_destruct(): sk=ffff8880156f8000 family=10 net=ffffffff84588cc0 sk->sk_net_refcnt=0
(...snipped...)
[ 214.124851][ C1] sock: __sk_destruct(): sk=ffff8880156f8c40 family=10 net=ffffffff84588cc0 sk->sk_net_refcnt=0
----------------------------------------

Therefore, I guess that this patch is missing something here.

Tetsuo Handa

unread,
Apr 22, 2022, 10:41:26 AM4/22/22
to Santosh Shilimkar, OFED mailing list, syzbot, and...@kernel.org, and...@fb.com, a...@kernel.org, dan...@iogearbox.net, da...@davemloft.net, dsa...@kernel.org, edum...@google.com, john.fa...@gmail.com, ka...@fb.com, kps...@kernel.org, ku...@kernel.org, kuz...@ms2.inr.ac.ru, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, t...@hlghospital.com, y...@fb.com, yosh...@linux-ipv6.org, b...@vger.kernel.org
Hello, RDS developers.

I was thinking that BPF program is relevant with the TCP/IPv6 socket triggering
use-after-free access. But disassembling syzkaller-generated BPF program concluded
that what "char program[2053]" is doing is not important
( https://lkml.kernel.org/r/d21e278f-a3ff-8603...@I-love.SAKURA.ne.jp ).

Then, I realized that TCP/IPv6 port 16385 (which the reproducer is accessing) is
used by kernel RDS server, which can explain
"It seems that a socket with sk->sk_net_refcnt=0 is created by unshare(CLONE_NEWNET)"
at https://lkml.kernel.org/r/fa445f0e-32b7-5e0d...@I-love.SAKURA.ne.jp
because the kernel RDS server starts during boot procedure.

------------------------------------------------------------
root@fuzz:~# unshare -n netstat -tanpe
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp6 0 0 :::16385 :::* LISTEN 0 19627 -
------------------------------------------------------------

With the debug printk() patch shown below,

------------------------------------------------------------
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 0ec2f5906a27..20b3c42b4140 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -429,7 +429,8 @@ static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
+ memset(net, POISON_FREE, sizeof(struct net));
+ //kmem_cache_free(net_cachep, net);
}
}

diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 09cadd556d1e..5792fe3df8ac 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -146,10 +146,9 @@ int rds_tcp_accept_one(struct socket *sock)
my_addr = &saddr;
peer_addr = &daddr;
#endif
- rdsdebug("accepted family %d tcp %pI6c:%u -> %pI6c:%u\n",
- sock->sk->sk_family,
- my_addr, ntohs(inet->inet_sport),
- peer_addr, ntohs(inet->inet_dport));
+ pr_info("accepted family %d tcp %pI6c:%u -> %pI6c:%u refcnt=%d sock_net=%px init_net=%px\n",
+ sock->sk->sk_family, my_addr, ntohs(inet->inet_sport), peer_addr,
+ ntohs(inet->inet_dport), sock->sk->sk_net_refcnt, sock_net(sock->sk), &init_net);

#if IS_ENABLED(CONFIG_IPV6)
/* sk_bound_dev_if is not set if the peer address is not link local
------------------------------------------------------------

I get

accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:33086 refcnt=0 sock_net=ffffffff860d89c0 init_net=ffffffff860d89c0

if I do

# echo > /dev/tcp/127.0.0.1/16385

from init_net namespace, and I get

accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:33088 refcnt=0 sock_net=ffff88810a208000 init_net=ffffffff860d89c0

if I do

# echo > /dev/tcp/127.0.0.1/16385

from non-init_net namespace. Note that sock->sk->sk_net_refcnt is 0 in both cases.

Like commit 2303f994b3e18709 ("mptcp: Associate MPTCP context with TCP socket") says

/* kernel sockets do not by default acquire net ref, but TCP timer
* needs it.
*/

, I came to feel that e.g. rds_tcp_accept_one() is accessing sock_net(sock->sk) on
accepted sockets with sock->sk->sk_net_refcnt=0 (because the listening socket was
created by kernel) is causing this problem. Why not rds kernel server does

sock->sk->sk_net_refcnt = 1;
get_net_track(net, &sock->sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);

on accepted sockets like mptcp_subflow_create_socket() does?

For your testing, below is the latest reproducer.
You can try this reproducer with keep-memory-poisoned patch shown above.
netlink_add_addr4(fd, "lo", "127.0.0.1");
netlink_add_addr6(fd, "lo", "::1");
netlink_device_change(fd, "lo", &macaddr, ETH_ALEN);
close(fd);
}

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static void execute_one(void)
{
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 2,
.insns = (unsigned long long) "\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
.license = (unsigned long long) "GPL",
};
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = htons(0x4001), /* where kernel RDS TCPv6 socket is listening */
.sin_addr.s_addr = inet_addr("127.0.0.1")

Tetsuo Handa

unread,
Apr 23, 2022, 11:58:07 PM4/23/22
to Santosh Shilimkar, OFED mailing list, syzbot, and...@kernel.org, and...@fb.com, a...@kernel.org, dan...@iogearbox.net, da...@davemloft.net, dsa...@kernel.org, edum...@google.com, john.fa...@gmail.com, ka...@fb.com, kps...@kernel.org, ku...@kernel.org, kuz...@ms2.inr.ac.ru, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, t...@hlghospital.com, y...@fb.com, yosh...@linux-ipv6.org, b...@vger.kernel.org
OK. I succeeded to reproduce this problem without BPF program.
Just dropping TCP packets is sufficient. That is, this bug should be fixed in RDS code.

------------------------------------------------------------
root@fuzz:~# unshare -n sh -c '
ip link set lo up
iptables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
ip6tables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
telnet 127.0.0.1 16385
dmesg -c
netstat -tanpe' < /dev/null
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[ 54.922280] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 1 127.0.0.1:58780 127.0.0.1:16385 FIN_WAIT1 0 0 -
tcp6 0 0 :::16385 :::* LISTEN 0 18301 -
tcp6 1 1 127.0.0.1:16385 127.0.0.1:58780 LAST_ACK 0 0 -
------------------------------------------------------------

------------------------------------------------------------
fuzz login: [ 54.849128][ T2718] ip (2718) used greatest stack depth: 11192 bytes left
[ 54.922280][ T764] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
[ 224.330990][ C0] general protection fault, probably for non-canonical address 0x6b6af3ebe92b6bc3: 0000 [#1] PREEMPT SMP
[ 224.344491][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc3-00016-gb253435746d9-dirty #767
[ 224.355974][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 224.361184][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.364559][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.375318][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.378682][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.383253][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.387171][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.389612][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.392646][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.395626][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.398662][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.400880][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.403964][ C0] Call Trace:
[ 224.405212][ C0] <IRQ>
[ 224.406355][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.408259][ C0] tcp_write_wakeup+0x112/0x160
[ 224.409932][ C0] ? ktime_get+0x1cb/0x260
[ 224.411636][ C0] tcp_send_probe0+0x13/0x150
[ 224.413393][ C0] tcp_write_timer_handler+0x248/0x280
[ 224.415433][ C0] tcp_write_timer+0xa5/0x110
[ 224.417040][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.419142][ C0] call_timer_fn+0xa6/0x300
[ 224.420949][ C0] __run_timers.part.0+0x209/0x320
[ 224.422915][ C0] run_timer_softirq+0x2c/0x60
[ 224.424791][ C0] __do_softirq+0x174/0x53f
[ 224.426462][ C0] __irq_exit_rcu+0xcb/0x120
[ 224.428188][ C0] irq_exit_rcu+0x5/0x20
[ 224.430176][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 224.432301][ C0] </IRQ>
[ 224.433394][ C0] <TASK>
[ 224.434514][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 224.436500][ C0] RIP: 0010:default_idle+0xb/0x10
[ 224.438220][ C0] Code: 8b 04 25 40 af 01 00 f0 80 60 02 df c3 0f ae f0 0f ae 38 0f ae f0 eb b9 0f 1f 80 00 00 00 00 eb 07 0f 00 2d e3 b6 56 00 fb f4 <c3> cc cc cc cc 53 48 89 fb e8 67 fb fe ff 48 8b 15 a0 91 4e 02 89
[ 224.444865][ C0] RSP: 0018:ffffffff83e03ea8 EFLAGS: 00000202
[ 224.447077][ C0] RAX: 00000000000223b5 RBX: ffffffff83e61a00 RCX: 0000000000000001
[ 224.449957][ C0] RDX: 0000000000000000 RSI: ffffffff832e9bf1 RDI: ffffffff83246666
[ 224.452916][ C0] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
[ 224.455677][ C0] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[ 224.458458][ C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 224.461642][ C0] default_idle_call+0x54/0x90
[ 224.463888][ C0] do_idle+0x1f3/0x240
[ 224.465531][ C0] cpu_startup_entry+0x14/0x20
[ 224.467193][ C0] start_kernel+0x69c/0x6c1
[ 224.469040][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 224.471179][ C0] </TASK>
[ 224.472438][ C0] Modules linked in:
[ 224.474387][ C0] ---[ end trace 0000000000000000 ]---
[ 224.476521][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.478893][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.485948][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.488110][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.491186][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.494378][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.497576][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.500600][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.503814][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.507136][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.509421][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.512699][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 224.515847][ C0] Kernel Offset: disabled
[ 224.517636][ C0] Rebooting in 10 seconds..
------------------------------------------------------------

syzbot

unread,
May 1, 2022, 11:23:11 AM5/1/22
to penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+694120...@syzkaller.appspotmail.com

Tested on:

commit: 57ae8a49 Merge tag 'driver-core-5.18-rc5' of git://git..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cf367f8a93c8eb82
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=169e9900f00000

Note: testing is done by a robot and is best-effort only.

Tetsuo Handa

unread,
May 1, 2022, 11:29:28 AM5/1/22
to Santosh Shilimkar, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, syzbot, net...@vger.kernel.org, syzkall...@googlegroups.com, OFED mailing list
syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
for TCP socket used by RDS is accessing sock_net() without acquiring a
refcount on net namespace. Since TCP's retransmission can happen after
a process which created net namespace terminated, we need to explicitly
acquire a refcount.

Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
Reported-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
---
net/rds/tcp.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 5327d130c4b5..8015d2695784 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -493,6 +493,15 @@ void rds_tcp_tune(struct socket *sock)
struct net *net = sock_net(sk);
struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);

+ /* TCP timer functions might access net namespace even after
+ * a process which created this net namespace terminated.
+ */
+ if (!sk->sk_net_refcnt) {
+ sk->sk_net_refcnt = 1;
+ get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+ sock_inuse_add(net, 1);
+ }
+
tcp_sock_set_nodelay(sock->sk);
lock_sock(sk);
if (rtn->sndbuf_size > 0) {
--
2.34.1

Eric Dumazet

unread,
May 1, 2022, 12:14:15 PM5/1/22
to Tetsuo Handa, Santosh Shilimkar, David S. Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, OFED mailing list
On Sun, May 1, 2022 at 8:29 AM Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
> for TCP socket used by RDS is accessing sock_net() without acquiring a
> refcount on net namespace. Since TCP's retransmission can happen after
> a process which created net namespace terminated, we need to explicitly
> acquire a refcount.
>

Please add a Fixes: tag

> Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
> Reported-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> Tested-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
> ---
> net/rds/tcp.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/net/rds/tcp.c b/net/rds/tcp.c
> index 5327d130c4b5..8015d2695784 100644
> --- a/net/rds/tcp.c
> +++ b/net/rds/tcp.c
> @@ -493,6 +493,15 @@ void rds_tcp_tune(struct socket *sock)
> struct net *net = sock_net(sk);
> struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
>
> + /* TCP timer functions might access net namespace even after
> + * a process which created this net namespace terminated.
> + */

Please move this after the lock_sock(sk) [1], so that we are protected
correctly ?

> + if (!sk->sk_net_refcnt) {
> + sk->sk_net_refcnt = 1;
> + get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
> + sock_inuse_add(net, 1);
> + }
> +
> tcp_sock_set_nodelay(sock->sk);

> lock_sock(sk);

[1] Here.

syzbot

unread,
May 1, 2022, 9:34:10 PM5/1/22
to penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+694120...@syzkaller.appspotmail.com

Tested on:

commit: 20b87e7c selftests/bpf: Fix two memory leaks in prog_t..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=17e51e8e343b41c7
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1626ebb4f00000

Tetsuo Handa

unread,
May 1, 2022, 9:40:40 PM5/1/22
to Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, OFED mailing list
syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
for TCP socket used by RDS is accessing sock_net() without acquiring a
refcount on net namespace. Since TCP's retransmission can happen after
a process which created net namespace terminated, we need to explicitly
acquire a refcount.

Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
Reported-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
Fixes: 26abe14379f8e2fa ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
Fixes: 8a68173691f03661 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
---
Changes in v2:
Add Fixes: tag.
Move to inside lock_sock() section.

I chose 26abe14379f8e2fa and 8a68173691f03661 which went to 4.2 for Fixes: tag,
for refcount was implicitly taken when 70041088e3b97662 ("RDS: Add TCP transport
to RDS") was added to 2.6.32.

net/rds/tcp.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 5327d130c4b5..2f638f8b7b1e 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -495,6 +495,14 @@ void rds_tcp_tune(struct socket *sock)

tcp_sock_set_nodelay(sock->sk);
lock_sock(sk);
+ /* TCP timer functions might access net namespace even after
+ * a process which created this net namespace terminated.
+ */
+ if (!sk->sk_net_refcnt) {
+ sk->sk_net_refcnt = 1;
+ get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+ sock_inuse_add(net, 1);
+ }
if (rtn->sndbuf_size > 0) {
sk->sk_sndbuf = rtn->sndbuf_size;
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
--
2.34.1


Haakon Bugge

unread,
May 2, 2022, 10:12:41 AM5/2/22
to Tetsuo Handa, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, OFED mailing list
Don't you need a corresponding put_net_track()?


Thxs, HÃ¥kon

Tetsuo Handa

unread,
May 2, 2022, 10:30:10 AM5/2/22
to Haakon Bugge, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, OFED mailing list
On 2022/05/02 23:12, Haakon Bugge wrote:
>> + /* TCP timer functions might access net namespace even after
>> + * a process which created this net namespace terminated.
>> + */
>> + if (!sk->sk_net_refcnt) {
>> + sk->sk_net_refcnt = 1;
>> + get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
>
> Don't you need a corresponding put_net_track()?

__sk_free() and __sk_destruct() will do if sk->sk_net_refcnt is set.

>
>> + sock_inuse_add(net, 1);
>> + }

Paolo Abeni

unread,
May 3, 2022, 5:02:52 AM5/3/22
to Tetsuo Handa, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
Hello,
This looks equivalent to the fix presented here:

https://lore.kernel.org/all/CANn89i+484ffqb93aQm1N-tj...@mail.gmail.com/

but the latter looks a more generic solution. @Tetsuo could you please
test the above in your setup?

Thanks!

Paolo

Tetsuo Handa

unread,
May 3, 2022, 5:56:35 AM5/3/22
to Paolo Abeni, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
On 2022/05/03 18:02, Paolo Abeni wrote:
> This looks equivalent to the fix presented here:

Not equivalent.

>
> https://lore.kernel.org/all/CANn89i+484ffqb93aQm1N-tj...@mail.gmail.com/
>
> but the latter looks a more generic solution. @Tetsuo could you please
> test the above in your setup?

I already tested that fix, and the result was
https://lore.kernel.org/all/78cdbf25-4511-a567...@I-love.SAKURA.ne.jp/ .

Paolo Abeni

unread,
May 3, 2022, 7:10:57 AM5/3/22
to Tetsuo Handa, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
Thanks, I somewhat missed that reply.

Paolo

patchwork-b...@kernel.org

unread,
May 3, 2022, 7:40:12 AM5/3/22
to Tetsuo Handa, edum...@google.com, santosh....@oracle.com, da...@davemloft.net, ku...@kernel.org, pab...@redhat.com, syzbot+694120...@syzkaller.appspotmail.com, net...@vger.kernel.org, syzkall...@googlegroups.com, linux...@vger.kernel.org
Hello:

This patch was applied to netdev/net.git (master)
by Paolo Abeni <pab...@redhat.com>:

On Mon, 2 May 2022 10:40:18 +0900 you wrote:
> syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
> for TCP socket used by RDS is accessing sock_net() without acquiring a
> refcount on net namespace. Since TCP's retransmission can happen after
> a process which created net namespace terminated, we need to explicitly
> acquire a refcount.
>
> Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
> Reported-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
> Fixes: 26abe14379f8e2fa ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
> Fixes: 8a68173691f03661 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> Tested-by: syzbot <syzbot+694120...@syzkaller.appspotmail.com>
>
> [...]

Here is the summary with links:
- [v2] net: rds: acquire refcount on TCP sockets
https://git.kernel.org/netdev/net/c/3a58f13a881e

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html


David Laight

unread,
May 3, 2022, 9:27:34 AM5/3/22
to Paolo Abeni, Tetsuo Handa, Eric Dumazet, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
From: Paolo Abeni
> Sent: 03 May 2022 10:03
Wouldn't a more generic solution be to add a flag to sock_create_kern()
so that it acquires a reference to the namespace?
This could be a bit on one of the existing parameters - like SOCK_NONBLOCK.

I've a driver that uses __sock_create() in order to get that reference.
I'm pretty sure the extra 'security' check will never fail.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Eric Dumazet

unread,
May 3, 2022, 9:43:40 AM5/3/22
to David Laight, Paolo Abeni, Tetsuo Handa, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
This would be silly really.

Definition of a 'kernel socket' is that it does not hold a reference
to the namespace.
(otherwise a netns could not be destroyed by user space)

A kernel layer using kernel sockets needs to properly dismantle them
when a namespace is destroyed.

In the RDS case, the socket was a user socket, or RDS lacked proper
tracking of all the sockets
so that they can be dismantled properly.

Eric Dumazet

unread,
May 3, 2022, 9:45:46 AM5/3/22
to Paolo Abeni, Tetsuo Handa, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
I think this is still needed for layers (NFS ?) that dismantle their
TCP sockets whenever a netns
is dismantled. But RDS case was different, only the listener is a kernel socket.

Tetsuo Handa

unread,
May 3, 2022, 10:08:19 AM5/3/22
to Eric Dumazet, Paolo Abeni, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
On 2022/05/03 22:45, Eric Dumazet wrote:
>> This looks equivalent to the fix presented here:
>>
>> https://lore.kernel.org/all/CANn89i+484ffqb93aQm1N-tj...@mail.gmail.com/

I retested the fix above using

unshare -n sh -c '
ip link set lo up
iptables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
ip6tables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
telnet 127.0.0.1 16385
dmesg -c
netstat -tanpe' < /dev/null

as a test case, but it seems racy; sometimes timer function is called again and crashes.

[ 426.086565][ C2] general protection fault, probably for non-canonical address 0x6b6af3ebcc3b6bc3: 0000 [#1] PREEMPT SMP KASAN
[ 426.096339][ C2] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.18.0-rc5-dirty #807
[ 426.103769][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 426.111851][ C2] RIP: 0010:__tcp_transmit_skb+0xe72/0x1b80
[ 426.117512][ C2] Code: e8 b3 ea dc fd 48 8d 7d 30 45 0f b7 77 30 e8 95 ec dc fd 48 8b 5d 30 48 8d bb b8 02 00 00 e8 85 ec dc fd 48 8b 83 b8 02 00 00 <65> 4c 01 70 58 e9 67 fd ff ff e8 ef 56 ac fd 48 8d bd d0 09 00 00
[ 426.124692][ C2] RSP: 0018:ffff888060d09ac8 EFLAGS: 00010246
[ 426.126845][ C2] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8880145c8000 RCX: ffffffff838cc28b
[ 426.129616][ C2] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880145c82b8
[ 426.132374][ C2] RBP: ffff8880129f8000 R08: 0000000000000000 R09: 0000000000000007
[ 426.135077][ C2] R10: ffffffff838cbfd4 R11: 0000000000000001 R12: ffff8880129f8760
[ 426.137793][ C2] R13: ffff88800f6e0118 R14: 0000000000000001 R15: ffff88800f6e00e8
[ 426.140489][ C2] FS: 0000000000000000(0000) GS:ffff888060d00000(0000) knlGS:0000000000000000
[ 426.143525][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 426.145792][ C2] CR2: 000055b5bb0adabc CR3: 000000000e003000 CR4: 00000000000506e0
[ 426.148509][ C2] Call Trace:
[ 426.149442][ C2] <IRQ>
[ 426.150183][ C2] ? __tcp_select_window+0x710/0x710
[ 426.151457][ C2] ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[ 426.153007][ C2] ? tcp_current_mss+0x165/0x280
[ 426.154245][ C2] ? tcp_trim_head+0x300/0x300
[ 426.155396][ C2] ? find_held_lock+0x85/0xa0
[ 426.156734][ C2] ? mark_held_locks+0x65/0x90
[ 426.157967][ C2] tcp_write_wakeup+0x2e2/0x340
[ 426.159149][ C2] tcp_send_probe0+0x2a/0x2c0
[ 426.160368][ C2] tcp_write_timer_handler+0x5cb/0x670
[ 426.161740][ C2] tcp_write_timer+0x86/0x250
[ 426.162896][ C2] ? tcp_write_timer_handler+0x670/0x670
[ 426.164285][ C2] call_timer_fn+0x15d/0x5f0
[ 426.165481][ C2] ? add_timer_on+0x2e0/0x2e0
[ 426.166667][ C2] ? lock_downgrade+0x3c0/0x3c0
[ 426.167921][ C2] ? mark_held_locks+0x24/0x90
[ 426.169263][ C2] ? _raw_spin_unlock_irq+0x1f/0x40
[ 426.170564][ C2] ? tcp_write_timer_handler+0x670/0x670
[ 426.171920][ C2] __run_timers.part.0+0x523/0x740
[ 426.173181][ C2] ? call_timer_fn+0x5f0/0x5f0
[ 426.174321][ C2] ? pvclock_clocksource_read+0xdc/0x1a0
[ 426.175655][ C2] run_timer_softirq+0x66/0xe0
[ 426.176825][ C2] __do_softirq+0x1c2/0x670
[ 426.177944][ C2] __irq_exit_rcu+0xf8/0x140
[ 426.179120][ C2] irq_exit_rcu+0x5/0x20
[ 426.180150][ C2] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 426.181486][ C2] </IRQ>
[ 426.182180][ C2] <TASK>
[ 426.182845][ C2] asm_sysvec_apic_timer_interrupt+0x12/0x20

>
> I think this is still needed for layers (NFS ?) that dismantle their
> TCP sockets whenever a netns
> is dismantled. But RDS case was different, only the listener is a kernel socket.

We can't apply the fix above.

I think that the fundamental problem is that we use net->ns.count for both
"avoiding use-after-free" purpose and "allowing dismantle from user event" purpose.
Why not to use separated counters?

David Laight

unread,
May 3, 2022, 10:25:32 AM5/3/22
to Eric Dumazet, Paolo Abeni, Tetsuo Handa, Santosh Shilimkar, David S. Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, OFED mailing list
From: Eric Dumazet
> Sent: 03 May 2022 14:43
I think it depends on why the driver is using a socket.

If the driver is a 'user' of a TCP connection that happens to
be is a kernel driver then holding the a reference to the namespace
is no different to an application socket holding a reference.
An example might be nfs/tcp - you need to unmount the filesystem
before you can delete the namespace.

OTOH if part of a protocol stack is using a socket for internal
calls (I think I've seen routing sockets used that way) then the
presence of the socket probably shouldn't stop the namespace
being deleted.

Listening sockets are a slight problem - probably for userspace as well.
It would be nicer to be able to get TCP (etc) to error out listening
sockets if they are the only thing stopping a namespace being deleted.

> In the RDS case, the socket was a user socket, or RDS lacked proper
> tracking of all the sockets
> so that they can be dismantled properly.

I think they probably are sockets created in order act on requests
from applications.
I think they should have the same effect on namespaces as a direct
user socket - you can't delete the socket while the connection is
active.
Kill all the relevant processes, tell the driver to stop, and you
can delete the namespace.

Eric Dumazet

unread,
May 3, 2022, 5:17:54 PM5/3/22
to patchwork-b...@kernel.org, Tetsuo Handa, Santosh Shilimkar, David Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, linux-rdma
I think we merged this patch too soon.

My question is : What prevents rds_tcp_conn_path_connect(), and thus
rds_tcp_tune() to be called
after the netns refcount already reached 0 ?

I guess we can wait for next syzbot report, but I think that get_net()
should be replaced
by maybe_get_net()

Eric Dumazet

unread,
May 3, 2022, 6:37:59 PM5/3/22
to patchwork-b...@kernel.org, Tetsuo Handa, Santosh Shilimkar, David Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, linux-rdma
Yes, syzbot was fast to trigger this exact issue:

HEAD commit: 3a58f13a net: rds: acquire refcount on TCP sockets
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 6934 at lib/refcount.c:25
refcount_warn_saturate+0x169/0x1e0 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 6934 Comm: kworker/u4:17 Not tainted
5.18.0-rc4-syzkaller-00209-g3a58f13a881e #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: krdsd rds_connect_worker
RIP: 0010:refcount_warn_saturate+0x169/0x1e0 lib/refcount.c:25
Code: 09 31 ff 89 de e8 f7 b9 81 fd 84 db 0f 85 36 ff ff ff e8 0a b6
81 fd 48 c7 c7 40 eb 26 8a c6 05 75 1f ac 09 01 e8 56 75 2d 05 <0f> 0b
e9 17 ff ff ff e8 eb b5 81 fd 0f b6 1d 5a 1f ac 09 31 ff 89
RSP: 0018:ffffc9000b5e7b80 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88807a948000 RSI: ffffffff81600c08 RDI: fffff520016bcf62
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815fb5de R11: 0000000000000000 R12: ffff888021e69b80
R13: ffff88805bc82a00 R14: ffff888021e69ccc R15: ffff8880741a2900
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2cb5c000 CR3: 000000005688f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
get_net include/net/net_namespace.h:248 [inline]
get_net_track include/net/net_namespace.h:334 [inline]
rds_tcp_tune+0x5a0/0x5f0 net/rds/tcp.c:503
rds_tcp_conn_path_connect+0x489/0x880 net/rds/tcp_connect.c:127
rds_connect_worker+0x1a5/0x2c0 net/rds/threads.c:176
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>

Tetsuo Handa

unread,
May 3, 2022, 9:04:40 PM5/3/22
to Eric Dumazet, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, linux-rdma
On 2022/05/04 7:37, Eric Dumazet wrote:
>> I think we merged this patch too soon.
>>
>> My question is : What prevents rds_tcp_conn_path_connect(), and thus
>> rds_tcp_tune() to be called
>> after the netns refcount already reached 0 ?
>>
>> I guess we can wait for next syzbot report, but I think that get_net()
>> should be replaced
>> by maybe_get_net()
>
> Yes, syzbot was fast to trigger this exact issue:

Does maybe_get_net() help?

Since rds_conn_net() returns a net namespace without holding a ref, it is theoretically
possible that the net namespace returned by rds_conn_net() is already kmem_cache_free()d
if refcount dropped to 0 by the moment sk_alloc() calls sock_net_set().

rds_tcp_conn_path_connect() {
sock_create_kern(net = rds_conn_net(conn)) {
__sock_create(net = rds_conn_net(conn), kern = 1) {
err = pf->create(net = rds_conn_net(conn), kern = 1) {
// pf->create is either inet_create or inet6_create
sk_alloc(net = rds_conn_net(conn), kern = 1) {
sk->sk_net_refcnt = kern ? 0 : 1;
if (likely(sk->sk_net_refcnt)) {
get_net_track(net, &sk->ns_tracker, priority);
sock_inuse_add(net, 1);
}
sock_net_set(sk, net);
}
}
}
}
rds_tcp_tune() {
if (!sk->sk_net_refcnt) {
sk->sk_net_refcnt = 1;
get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
}
}
}

"struct rds_connection" needs to hold a ref in order to safely allow
rds_tcp_tune() to call maybe_get_net(), which in turn makes pointless
to use maybe_get_net() from rds_tcp_tune() because "struct rds_connection"
must have a ref. Situation where we are protected by maybe_get_net() is
quite limited if long-lived object is not holding a ref.

Hmm, can we simply use &init_net instead of rds_conn_net(conn) ?

Eric Dumazet

unread,
May 3, 2022, 11:09:49 PM5/3/22
to Tetsuo Handa, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, linux-rdma
On Tue, May 3, 2022 at 6:04 PM Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
>
> On 2022/05/04 7:37, Eric Dumazet wrote:
> >> I think we merged this patch too soon.
> >>
> >> My question is : What prevents rds_tcp_conn_path_connect(), and thus
> >> rds_tcp_tune() to be called
> >> after the netns refcount already reached 0 ?
> >>
> >> I guess we can wait for next syzbot report, but I think that get_net()
> >> should be replaced
> >> by maybe_get_net()
> >
> > Yes, syzbot was fast to trigger this exact issue:
>
> Does maybe_get_net() help?
>
> Since rds_conn_net() returns a net namespace without holding a ref, it is theoretically
> possible that the net namespace returned by rds_conn_net() is already kmem_cache_free()d
> if refcount dropped to 0 by the moment sk_alloc() calls sock_net_set().

Nope. RDS has an exit() handler called from cleanup_net()

(struct pernet_operations)->exit() or exit_batch() :
rds_tcp_exit_net() (rds_tcp_kill_sock())

This exit() handler _has_ to remove all known listeners, and
definitely cancel work queues (synchronous operation)
before the actual "struct net" free can happen later.



>
> rds_tcp_conn_path_connect() {
> sock_create_kern(net = rds_conn_net(conn)) {
> __sock_create(net = rds_conn_net(conn), kern = 1) {
> err = pf->create(net = rds_conn_net(conn), kern = 1) {
> // pf->create is either inet_create or inet6_create
> sk_alloc(net = rds_conn_net(conn), kern = 1) {
> sk->sk_net_refcnt = kern ? 0 : 1;
> if (likely(sk->sk_net_refcnt)) {
> get_net_track(net, &sk->ns_tracker, priority);
> sock_inuse_add(net, 1);
> }
> sock_net_set(sk, net);
> }
> }
> }
> }
> rds_tcp_tune() {
> if (!sk->sk_net_refcnt) {
> sk->sk_net_refcnt = 1;
> get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
> sock_inuse_add(net, 1);
> }
> }
> }
>
> "struct rds_connection" needs to hold a ref in order to safely allow
> rds_tcp_tune() to call maybe_get_net(), which in turn makes pointless
> to use maybe_get_net() from rds_tcp_tune() because "struct rds_connection"
> must have a ref. Situation where we are protected by maybe_get_net() is
> quite limited if long-lived object is not holding a ref.
>
> Hmm, can we simply use &init_net instead of rds_conn_net(conn) ?

Only if you plan making RDS unavailable for non init netns.

Tetsuo Handa

unread,
May 4, 2022, 12:58:41 AM5/4/22
to Eric Dumazet, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, Paolo Abeni, syzbot, netdev, syzkaller-bugs, linux-rdma
On 2022/05/04 12:09, Eric Dumazet wrote:
>> Does maybe_get_net() help?
>>
>> Since rds_conn_net() returns a net namespace without holding a ref, it is theoretically
>> possible that the net namespace returned by rds_conn_net() is already kmem_cache_free()d
>> if refcount dropped to 0 by the moment sk_alloc() calls sock_net_set().
>
> Nope. RDS has an exit() handler called from cleanup_net()
>
> (struct pernet_operations)->exit() or exit_batch() :
> rds_tcp_exit_net() (rds_tcp_kill_sock())

Hmm, when put_net() called __put_net(), this "struct net" is chained to cleanup_list.
When cleanup_net() is called via net_cleanup_work, rds_tcp_exit_net() is called from
ops_exit_list(). Therefore, we can call maybe_get_net() until rds_tcp_exit_net() returns.
That's good.

>
> This exit() handler _has_ to remove all known listeners, and
> definitely cancel work queues (synchronous operation)
> before the actual "struct net" free can happen later.

But in your report, rds_tcp_tune() is called from rds_tcp_conn_path_connect() from
rds_connect_worker() via "struct rds_connection"->cp_conn_w work. I can see that
rds_tcp_kill_sock() calls rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w), and
rds_tcp_listen_stop() calls flush_workqueue(rds_wq) and flush_work(&rtn->rds_tcp_accept_w).

But I can't see how rds_tcp_exit_net() synchronously cancels all works associated
with "struct rds_conn_path".

struct rds_conn_path {
struct delayed_work cp_send_w;
struct delayed_work cp_recv_w;
struct delayed_work cp_conn_w;
struct work_struct cp_down_w;
}

These works are queued to rds_wq, but flush_workqueue() waits for completion only
if already queued. What if timer for queue_delayed_work() has not expired, or was
about to call queue_delayed_work() ? Is flush_workqueue(rds_wq) sufficient?

Anyway, if rds_tcp_kill_sock() can somehow guarantee that all works are completed
or cancelled, the fix would look like something below?

net/rds/tcp.c | 11 ++++++++---
net/rds/tcp.h | 2 +-
net/rds/tcp_connect.c | 5 ++++-
net/rds/tcp_listen.c | 5 ++++-
4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 2f638f8b7b1e..8e26bcf02044 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -487,11 +487,11 @@ struct rds_tcp_net {
/* All module specific customizations to the RDS-TCP socket should be done in
* rds_tcp_tune() and applied after socket creation.
*/
-void rds_tcp_tune(struct socket *sock)
+bool rds_tcp_tune(struct socket *sock)
{
struct sock *sk = sock->sk;
struct net *net = sock_net(sk);
- struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+ struct rds_tcp_net *rtn;

tcp_sock_set_nodelay(sock->sk);
lock_sock(sk);
@@ -499,10 +499,14 @@ void rds_tcp_tune(struct socket *sock)
* a process which created this net namespace terminated.
*/
if (!sk->sk_net_refcnt) {
+ if (!maybe_get_net(net)) {
+ release_sock(sk);
+ return false;
+ }
sk->sk_net_refcnt = 1;
- get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
}
+ rtn = net_generic(net, rds_tcp_netid);
if (rtn->sndbuf_size > 0) {
sk->sk_sndbuf = rtn->sndbuf_size;
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
@@ -512,6 +516,7 @@ void rds_tcp_tune(struct socket *sock)
sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
}
release_sock(sk);
+ return true;
}

static void rds_tcp_accept_worker(struct work_struct *work)
diff --git a/net/rds/tcp.h b/net/rds/tcp.h
index dc8d745d6857..f8b5930d7b34 100644
--- a/net/rds/tcp.h
+++ b/net/rds/tcp.h
@@ -49,7 +49,7 @@ struct rds_tcp_statistics {
};

/* tcp.c */
-void rds_tcp_tune(struct socket *sock);
+bool rds_tcp_tune(struct socket *sock);
void rds_tcp_set_callbacks(struct socket *sock, struct rds_conn_path *cp);
void rds_tcp_reset_callbacks(struct socket *sock, struct rds_conn_path *cp);
void rds_tcp_restore_callbacks(struct socket *sock,
diff --git a/net/rds/tcp_connect.c b/net/rds/tcp_connect.c
index 5461d77fff4f..f0c477c5d1db 100644
--- a/net/rds/tcp_connect.c
+++ b/net/rds/tcp_connect.c
@@ -124,7 +124,10 @@ int rds_tcp_conn_path_connect(struct rds_conn_path *cp)
if (ret < 0)
goto out;

- rds_tcp_tune(sock);
+ if (!rds_tcp_tune(sock)) {
+ ret = -EINVAL;
+ goto out;
+ }

if (isv6) {
sin6.sin6_family = AF_INET6;
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 09cadd556d1e..7edf2e69d3fe 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -133,7 +133,10 @@ int rds_tcp_accept_one(struct socket *sock)
__module_get(new_sock->ops->owner);

rds_tcp_keepalive(new_sock);
- rds_tcp_tune(new_sock);
+ if (!rds_tcp_tune(new_sock)) {
+ ret = -EINVAL;
+ goto out;
+ }

inet = inet_sk(new_sock->sk);

--
2.34.1

Paolo Abeni

unread,
May 4, 2022, 9:09:49 AM5/4/22
to Eric Dumazet, patchwork-b...@kernel.org, Tetsuo Handa, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
My fault.


> My question is : What prevents rds_tcp_conn_path_connect(), and thus
> rds_tcp_tune() to be called
> after the netns refcount already reached 0 ?
>
> I guess we can wait for next syzbot report, but I think that get_net()
> should be replaced
> by maybe_get_net()
>
Should we revert this patch before the next pull request, if a suitable
incremental fix is not available by then?

It looks like the window of opportunity for the race is roughly the
same?

Thanks!

Paolo

Eric Dumazet

unread,
May 4, 2022, 9:26:02 AM5/4/22
to Paolo Abeni, patchwork-b...@kernel.org, Tetsuo Handa, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
No need to revert the patch, we certainly are in a better situation,
as refcount_t helps here.

We can refine the logic in a followup.

Thanks.

Tetsuo Handa

unread,
May 4, 2022, 11:15:59 AM5/4/22
to Eric Dumazet, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
On 2022/05/04 13:58, Tetsuo Handa wrote:
> On 2022/05/04 12:09, Eric Dumazet wrote:
>> This exit() handler _has_ to remove all known listeners, and
>> definitely cancel work queues (synchronous operation)
>> before the actual "struct net" free can happen later.
>
> But in your report, rds_tcp_tune() is called from rds_tcp_conn_path_connect() from
> rds_connect_worker() via "struct rds_connection"->cp_conn_w work. I can see that
> rds_tcp_kill_sock() calls rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w), and
> rds_tcp_listen_stop() calls flush_workqueue(rds_wq) and flush_work(&rtn->rds_tcp_accept_w).
>
> But I can't see how rds_tcp_exit_net() synchronously cancels all works associated
> with "struct rds_conn_path".
>
> struct rds_conn_path {
> struct delayed_work cp_send_w;
> struct delayed_work cp_recv_w;
> struct delayed_work cp_conn_w;
> struct work_struct cp_down_w;
> }
>
> These works are queued to rds_wq, but flush_workqueue() waits for completion only
> if already queued. What if timer for queue_delayed_work() has not expired, or was
> about to call queue_delayed_work() ? Is flush_workqueue(rds_wq) sufficient?


rds_tcp_tune+0x5a0/0x5f0 net/rds/tcp.c:503
rds_tcp_conn_path_connect+0x489/0x880 net/rds/tcp_connect.c:127
rds_connect_worker+0x1a5/0x2c0 net/rds/threads.c:176
process_one_work+0x996/0x1610 kernel/workqueue.c:2289

rds_tcp_conn_path_connect is referenced by
"struct rds_transport rds_tcp_transport"->conn_path_connect.
It is invoked by

ret = conn->c_trans->conn_path_connect(cp)

in rds_connect_worker().

rds_connect_worker is referenced by "struct rds_conn_path"->cp_conn_w
via INIT_DELAYED_WORK().

queue_delayed_work(rds_wq, &cp->cp_conn_w, *) is called by
rds_queue_reconnect() or rds_conn_path_connect_if_down().

If rds_conn_path_connect_if_down() were called from
rds_tcp_accept_one_path() from rds_tcp_accept_one(),
rds_tcp_tune() from rds_tcp_accept_one() was already called
before rds_tcp_tune() from rds_tcp_conn_path_connect() is called.
Since the addition on 0 was not reported at rds_tcp_tune() from
rds_tcp_accept_one(), what Eric is reporting cannot be from
rds_tcp_accept_one() from rds_tcp_accept_worker().

Despite rds_tcp_kill_sock() sets rtn->rds_tcp_listen_sock = NULL and
waits for rds_tcp_accept_one() from rds_tcp_accept_worker() to complete
using flush_workqueue(rds_wq), what Eric is reporting is different from
what syzbot+694120e1002c117747ed was reporting.

>
> Anyway, if rds_tcp_kill_sock() can somehow guarantee that all works are completed
> or cancelled, the fix would look like something below?

I think it is OK to apply below diff in order to avoid addition on 0 problem, but
it is not proven that kmem_cache_free() is not yet called. What should we do?

Tetsuo Handa

unread,
May 4, 2022, 8:46:01 PM5/4/22
to Eric Dumazet, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
Eric Dumazet is reporting addition on 0 problem at rds_tcp_tune(), for
delayed works queued in rds_wq might be invoked after a net namespace's
refcount already reached 0.

Since rds_tcp_exit_net() from cleanup_net() calls flush_workqueue(rds_wq),
it is guaranteed that we can instead use maybe_get_net() from delayed work
functions until rds_tcp_exit_net() returns.

Note that I'm not convinced that all works which might access a net
namespace are already queued in rds_wq by the moment rds_tcp_exit_net()
calls flush_workqueue(rds_wq). If some race is there, rds_tcp_exit_net()
will fail to wait for work functions, and kmem_cache_free() could be
called from net_free() before maybe_get_net() is called from
rds_tcp_tune().

Reported-by: Eric Dumazet <edum...@google.com>
Fixes: 3a58f13a881ed351 ("net: rds: acquire refcount on TCP sockets")
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
net/rds/tcp.c | 11 ++++++++---
net/rds/tcp.h | 2 +-
net/rds/tcp_connect.c | 5 ++++-
net/rds/tcp_listen.c | 5 ++++-
4 files changed, 17 insertions(+), 6 deletions(-)

Eric Dumazet

unread,
May 4, 2022, 8:53:54 PM5/4/22
to Tetsuo Handa, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
This could use:
netns_tracker_alloc(net, &sk->ns_tracker, GFP_KERNEL);

> sock_inuse_add(net, 1);
> }
> + rtn = net_generic(net, rds_tcp_netid);
> if (rtn->sndbuf_size > 0) {
> sk->sk_sndbuf = rtn->sndbuf_size;
> sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
> @@ -512,6 +516,7 @@ void rds_tcp_tune(struct socket *sock)
> sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
> }
> release_sock(sk);
> + return true;
> }
>

Otherwise, patch looks good to me, thanks.

Jakub Kicinski

unread,
May 4, 2022, 9:04:26 PM5/4/22
to Tetsuo Handa, Eric Dumazet, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, syzbot, netdev, syzkaller-bugs, linux-rdma
On Thu, 5 May 2022 09:45:49 +0900 Tetsuo Handa wrote:
> Subject: [PATCH] net: rds: use maybe_get_net() when acquiring refcount on TCP sockets

Please tag the next version as [PATCH net v2], and make sure it applies
cleanly on top of net/master, 'cause reportedly this one didn't?
https://patchwork.kernel.org/project/netdevbpf/patch/63dab11e-2aeb-5608...@I-love.SAKURA.ne.jp/

Tetsuo Handa

unread,
May 4, 2022, 9:54:06 PM5/4/22
to Eric Dumazet, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
Eric Dumazet is reporting addition on 0 problem at rds_tcp_tune(), for
delayed works queued in rds_wq might be invoked after a net namespace's
refcount already reached 0.

Since rds_tcp_exit_net() from cleanup_net() calls flush_workqueue(rds_wq),
it is guaranteed that we can instead use maybe_get_net() from delayed work
functions until rds_tcp_exit_net() returns.

Note that I'm not convinced that all works which might access a net
namespace are already queued in rds_wq by the moment rds_tcp_exit_net()
calls flush_workqueue(rds_wq). If some race is there, rds_tcp_exit_net()
will fail to wait for work functions, and kmem_cache_free() could be
called from net_free() before maybe_get_net() is called from
rds_tcp_tune().

Reported-by: Eric Dumazet <edum...@google.com>
Fixes: 3a58f13a881ed351 ("net: rds: acquire refcount on TCP sockets")
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
Changes in v2:
Add netns_tracker_alloc().

net/rds/tcp.c | 12 +++++++++---
net/rds/tcp.h | 2 +-
net/rds/tcp_connect.c | 5 ++++-
net/rds/tcp_listen.c | 5 ++++-
4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 2f638f8b7b1e..73ee2771093d 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -487,11 +487,11 @@ struct rds_tcp_net {
/* All module specific customizations to the RDS-TCP socket should be done in
* rds_tcp_tune() and applied after socket creation.
*/
-void rds_tcp_tune(struct socket *sock)
+bool rds_tcp_tune(struct socket *sock)
{
struct sock *sk = sock->sk;
struct net *net = sock_net(sk);
- struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+ struct rds_tcp_net *rtn;

tcp_sock_set_nodelay(sock->sk);
lock_sock(sk);
@@ -499,10 +499,15 @@ void rds_tcp_tune(struct socket *sock)
* a process which created this net namespace terminated.
*/
if (!sk->sk_net_refcnt) {
+ if (!maybe_get_net(net)) {
+ release_sock(sk);
+ return false;
+ }
sk->sk_net_refcnt = 1;
- get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+ netns_tracker_alloc(net, &sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
}
+ rtn = net_generic(net, rds_tcp_netid);
if (rtn->sndbuf_size > 0) {
sk->sk_sndbuf = rtn->sndbuf_size;
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
@@ -512,6 +517,7 @@ void rds_tcp_tune(struct socket *sock)

Eric Dumazet

unread,
May 5, 2022, 3:13:50 PM5/5/22
to Tetsuo Handa, Paolo Abeni, patchwork-b...@kernel.org, Santosh Shilimkar, David Miller, Jakub Kicinski, syzbot, netdev, syzkaller-bugs, linux-rdma
On Wed, May 4, 2022 at 6:54 PM Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
>
> Eric Dumazet is reporting addition on 0 problem at rds_tcp_tune(), for
> delayed works queued in rds_wq might be invoked after a net namespace's
> refcount already reached 0.
>
> Since rds_tcp_exit_net() from cleanup_net() calls flush_workqueue(rds_wq),
> it is guaranteed that we can instead use maybe_get_net() from delayed work
> functions until rds_tcp_exit_net() returns.
>
> Note that I'm not convinced that all works which might access a net
> namespace are already queued in rds_wq by the moment rds_tcp_exit_net()
> calls flush_workqueue(rds_wq). If some race is there, rds_tcp_exit_net()
> will fail to wait for work functions, and kmem_cache_free() could be
> called from net_free() before maybe_get_net() is called from
> rds_tcp_tune().
>
> Reported-by: Eric Dumazet <edum...@google.com>
> Fixes: 3a58f13a881ed351 ("net: rds: acquire refcount on TCP sockets")
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> ---
>

Reviewed-by: Eric Dumazet <edum...@google.com>

patchwork-b...@kernel.org

unread,
May 5, 2022, 9:20:15 PM5/5/22
to Tetsuo Handa, edum...@google.com, pab...@redhat.com, patchwork-b...@kernel.org, santosh....@oracle.com, da...@davemloft.net, ku...@kernel.org, syzbot+694120...@syzkaller.appspotmail.com, net...@vger.kernel.org, syzkall...@googlegroups.com, linux...@vger.kernel.org
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <ku...@kernel.org>:

On Thu, 5 May 2022 10:53:53 +0900 you wrote:
> Eric Dumazet is reporting addition on 0 problem at rds_tcp_tune(), for
> delayed works queued in rds_wq might be invoked after a net namespace's
> refcount already reached 0.
>
> Since rds_tcp_exit_net() from cleanup_net() calls flush_workqueue(rds_wq),
> it is guaranteed that we can instead use maybe_get_net() from delayed work
> functions until rds_tcp_exit_net() returns.
>
> [...]

Here is the summary with links:
- [net,v2] net: rds: use maybe_get_net() when acquiring refcount on TCP sockets
https://git.kernel.org/netdev/net/c/6997fbd7a3da
Reply all
Reply to author
Forward
0 new messages