[v6.1] KASAN: use-after-free Read in tcp_retransmit_timer
1 view
Skip to first unread message
syzbot
Mar 12, 2024, 8:56:28 AMMar 12
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 61adba85cc40 Linux 6.1.81
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162a4611180000
kernel config: https://syzkaller.appspot.com/x/.config?x=8da5a35c67a34fd5
dashboard link: https://syzkaller.appspot.com/bug?extid=c388232d8ae8a3cf79a8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/61c8045dd77d/disk-61adba85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1620a2c15322/vmlinux-61adba85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/68d3cf583201/Image-61adba85.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c38823...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x59c/0x1da8 net/ipv4/tcp_timer.c:535
Read of size 8 at addr ffff0000db7482c0 by task syz-executor.1/12166
CPU: 0 PID: 12166 Comm: syz-executor.1 Not tainted 6.1.81-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
tcp_retransmit_timer+0x59c/0x1da8 net/ipv4/tcp_timer.c:535
tcp_write_timer_handler+0x18c/0x808 net/ipv4/tcp_timer.c:648
tcp_write_timer+0x170/0x2e4 net/ipv4/tcp_timer.c:665
call_timer_fn+0x1c0/0xa1c kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1790
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1803
__do_softirq+0x314/0xe38 kernel/softirq.c:571
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:650
irq_exit_rcu+0x14/0x84 kernel/softirq.c:662
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x68 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_restore arch/arm64/include/asm/irqflags.h:122 [inline]
lock_acquire+0x2ac/0x7cc kernel/locking/lockdep.c:5665
rcu_lock_acquire+0x38/0x44 include/linux/rcupdate.h:319
rcu_read_lock include/linux/rcupdate.h:760 [inline]
__mod_lruvec_page_state+0xa8/0x2ec mm/memcontrol.c:832
page_add_new_anon_rmap+0x3a4/0x534 mm/rmap.c:1275
do_anonymous_page mm/memory.c:4211 [inline]
handle_pte_fault mm/memory.c:5011 [inline]
__handle_mm_fault mm/memory.c:5155 [inline]
handle_mm_fault+0x2d70/0x3ef0 mm/memory.c:5276
__do_page_fault arch/arm64/mm/fault.c:499 [inline]
do_page_fault+0x330/0x890 arch/arm64/mm/fault.c:583
do_translation_fault+0x94/0xc8 arch/arm64/mm/fault.c:667
do_mem_abort+0x74/0x200 arch/arm64/mm/fault.c:803
el0_da+0x70/0x184 arch/arm64/kernel/entry-common.c:515
el0t_64_sync_handler+0xcc/0xf0 arch/arm64/kernel/entry-common.c:658
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 5169:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x230/0x37c mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:682 [inline]
net_alloc net/core/net_namespace.c:410 [inline]
copy_net_ns+0x124/0x590 net/core/net_namespace.c:465
create_new_namespaces+0x344/0x614 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x108/0x158 kernel/nsproxy.c:226
ksys_unshare+0x45c/0x874 kernel/fork.c:3203
__do_sys_unshare kernel/fork.c:3274 [inline]
__se_sys_unshare kernel/fork.c:3272 [inline]
__arm64_sys_unshare+0x3c/0x50 kernel/fork.c:3272
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000db748000
which belongs to the cache net_namespace of size 6976
The buggy address is located 704 bytes inside of
6976-byte region [ffff0000db748000, ffff0000db749b40)
The buggy address belongs to the physical page:
page:00000000d1cc1577 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000db748000 pfn:0x11b748
head:00000000d1cc1577 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff00010d434b01
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00030c0e00 dead000000000002 ffff0000c03de180
raw: ffff0000db748000 0000000080040001 00000001ffffffff ffff00010d434b01
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000db748180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000db748200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000db748280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000db748300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000db748380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 61adba85cc40 Linux 6.1.81
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162a4611180000
kernel config: https://syzkaller.appspot.com/x/.config?x=8da5a35c67a34fd5
dashboard link: https://syzkaller.appspot.com/bug?extid=c388232d8ae8a3cf79a8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/61c8045dd77d/disk-61adba85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1620a2c15322/vmlinux-61adba85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/68d3cf583201/Image-61adba85.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c38823...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x59c/0x1da8 net/ipv4/tcp_timer.c:535
Read of size 8 at addr ffff0000db7482c0 by task syz-executor.1/12166
CPU: 0 PID: 12166 Comm: syz-executor.1 Not tainted 6.1.81-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
tcp_retransmit_timer+0x59c/0x1da8 net/ipv4/tcp_timer.c:535
tcp_write_timer_handler+0x18c/0x808 net/ipv4/tcp_timer.c:648
tcp_write_timer+0x170/0x2e4 net/ipv4/tcp_timer.c:665
call_timer_fn+0x1c0/0xa1c kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1790
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1803
__do_softirq+0x314/0xe38 kernel/softirq.c:571
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:650
irq_exit_rcu+0x14/0x84 kernel/softirq.c:662
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x68 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_restore arch/arm64/include/asm/irqflags.h:122 [inline]
lock_acquire+0x2ac/0x7cc kernel/locking/lockdep.c:5665
rcu_lock_acquire+0x38/0x44 include/linux/rcupdate.h:319
rcu_read_lock include/linux/rcupdate.h:760 [inline]
__mod_lruvec_page_state+0xa8/0x2ec mm/memcontrol.c:832
page_add_new_anon_rmap+0x3a4/0x534 mm/rmap.c:1275
do_anonymous_page mm/memory.c:4211 [inline]
handle_pte_fault mm/memory.c:5011 [inline]
__handle_mm_fault mm/memory.c:5155 [inline]
handle_mm_fault+0x2d70/0x3ef0 mm/memory.c:5276
__do_page_fault arch/arm64/mm/fault.c:499 [inline]
do_page_fault+0x330/0x890 arch/arm64/mm/fault.c:583
do_translation_fault+0x94/0xc8 arch/arm64/mm/fault.c:667
do_mem_abort+0x74/0x200 arch/arm64/mm/fault.c:803
el0_da+0x70/0x184 arch/arm64/kernel/entry-common.c:515
el0t_64_sync_handler+0xcc/0xf0 arch/arm64/kernel/entry-common.c:658
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 5169:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x230/0x37c mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:682 [inline]
net_alloc net/core/net_namespace.c:410 [inline]
copy_net_ns+0x124/0x590 net/core/net_namespace.c:465
create_new_namespaces+0x344/0x614 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x108/0x158 kernel/nsproxy.c:226
ksys_unshare+0x45c/0x874 kernel/fork.c:3203
__do_sys_unshare kernel/fork.c:3274 [inline]
__se_sys_unshare kernel/fork.c:3272 [inline]
__arm64_sys_unshare+0x3c/0x50 kernel/fork.c:3272
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000db748000
which belongs to the cache net_namespace of size 6976
The buggy address is located 704 bytes inside of
6976-byte region [ffff0000db748000, ffff0000db749b40)
The buggy address belongs to the physical page:
page:00000000d1cc1577 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000db748000 pfn:0x11b748
head:00000000d1cc1577 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff00010d434b01
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00030c0e00 dead000000000002 ffff0000c03de180
raw: ffff0000db748000 0000000080040001 00000001ffffffff ffff00010d434b01
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000db748180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000db748200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000db748280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000db748300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000db748380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages