Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1170851rwl; Wed, 5 Apr 2023 12:51:52 -0700 (PDT) X-Google-Smtp-Source: AKy350ZhfIB5iuIgWubRdLYMyfxuUTzFqTaWo4+P9DCsAx1vkEJNePd+XPQInTpRJ1L4Jo3o2fDi X-Received: by 2002:aa7:d9cc:0:b0:502:45e7:4139 with SMTP id v12-20020aa7d9cc000000b0050245e74139mr2489297eds.37.1680724312092; Wed, 05 Apr 2023 12:51:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680724312; cv=none; d=google.com; s=arc-20160816; b=SQjWPEg0CLpLQ/ejONN4/CdeNeqjWACP8k8bo3gW8CCbOcLOxqVmIQnXRnP+zmabDz nYbWnAKV01GSBuPd1H//6E0dlyfDkT/hMQWVtjtWWu/u3ZDkLos9kchepdU44GgTeGLP JeqmwWtH9h5G/Yh2xVIMt2uUORoB1wyobeM5ANmzujBA9MNpkDXKoAMUy8x5574oLXdq /WQ4LVR8DSDwi+6pmaa5ej2XzhJKeQC2sBtbAXj7uAHNVOer1H5fEl7IzcMc26/gREZU 54L1EYfKBI5OtGMSHN3F6p5x3frk1kjEjfJtlGoUZBR/SWwey63wTwmlo35cvMVD9GJ1 OgvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=2CU/wqXDquoM5iWh5fb3D/RMmrzIlHoB0ba0E3004b4=; b=OhIYZe1t6qEaAIgOKdXY6IBuzHdoaJfjr9Pn1QN2DDbdUHC5JOTj55CV6hPB3DMgB/ zXLZYYFIZx9puB6EullPGPCFIdyzecc7YUCn/0ZN5n6dS4XxM4hZeUOno74A/qvNZocr FtvRW0OM/ZEULQ2rudwABxg8cAHP8kps/yuILSnwD47nvWvoQFs5wM2LgaNQAwP7A1Ud ipITliC5NaQ66d/iCaoFbbAiuG0FPtZyND/wa7rhSd8V4ijWX0gaZNHNv4r5prLm+yo3 ZppNPHBp7VdmKSkbDvyv20LcBj51pbcgK/5np/HqM+08+O08op9atNbD+xoFrhmGdJvj rREQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=eMRuS9Ey; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l17-20020aa7cad1000000b004af6aa59012si811870edt.443.2023.04.05.12.51.26; Wed, 05 Apr 2023 12:51:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=eMRuS9Ey; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234432AbjDETsu (ORCPT + 99 others); Wed, 5 Apr 2023 15:48:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234033AbjDETs0 (ORCPT ); Wed, 5 Apr 2023 15:48:26 -0400 Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E46887EDC for ; Wed, 5 Apr 2023 12:48:08 -0700 (PDT) Received: by mail-wr1-x42a.google.com with SMTP id l12so37293046wrm.10 for ; Wed, 05 Apr 2023 12:48:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1680724086; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=2CU/wqXDquoM5iWh5fb3D/RMmrzIlHoB0ba0E3004b4=; b=eMRuS9EyVLJMDLwDK0g79KHNxCAnYRdZUPH4KiP38+XxFjvV4KeSHiVVA9CqQGpx00 GrrHP7yJKxB9hnSG9ZHPLfljeqKbir7udiIqqqKPaLGaPI3lCBCT571TEFHU2CaROFOA Y0h239vruAnlPLQ50G/fyzHPvXjEalfpN625OqG6XPNnung2WMJk/wEMg2bXxr1rZ74m 1dalar/zW9URBb19pFaIJCFkpzTQtxe9nsTAfm/Y1EFDvyksvoGvDBx0p+j3bWyoh0KW FJLlP6a31ZqaU/K3+g/4y82zvP6hty21Qnryel/86EFDPR9Lcq95e1Z+At2aU4WLPoLE oT9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680724086; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2CU/wqXDquoM5iWh5fb3D/RMmrzIlHoB0ba0E3004b4=; b=pgNwVOEnshkHG1H5ECAblDSnRaiiio4vTu5tGi0EhPNOPwja9TBoEmXk6wYeBi/bZA TuLMeS8F5M1wQRa8NKnt/qqQS1CAwxF9VhMuAJo8fCLhvcsdUO8c5LzlxkbDTyq0kZXX RASxzZgxT/RFNGuRfjlr38/KqEg2T+v+iNKUEhmRvpFG8tdOb0bh+pxz6wRPPBfdPCMs ZiCPOdFlW//mNvnNNQADJZ+S1lcc6hL+d+kzLY9TVYT91G/mFYa65vNX5Xdv0xNcBytp TUz7NOX4DSrBqvqTwOGEtmJ24L2tvfCodLo/FeFuA2OKFU1uP8PMsbve4MFbM8UHrBq/ Sf1w== X-Gm-Message-State: AAQBX9f9rCE0Gd7ui2VztUsoh1bqC7KjwAmerdUe6Pgv8DkxBudj2q31 Zapi5vvhsBDIJUalTwDCZwFHhYTKnIYXYUr/LM+l/g== X-Received: by 2002:adf:fc41:0:b0:2ce:a5f8:b786 with SMTP id e1-20020adffc41000000b002cea5f8b786mr1381127wrs.12.1680724086448; Wed, 05 Apr 2023 12:48:06 -0700 (PDT) MIME-Version: 1.0 References: <20230405194143.15708-1-kuniyu@amazon.com> In-Reply-To: <20230405194143.15708-1-kuniyu@amazon.com> From: Eric Dumazet Date: Wed, 5 Apr 2023 21:47:54 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in tcp_write_timer_handler To: Kuniyuki Iwashima Cc: bpf@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, threeearcat@gmail.com, yoshfuji@linux-ipv6.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-15.7 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 5, 2023 at 9:42=E2=80=AFPM Kuniyuki Iwashima wrote: > > From: Eric Dumazet > Date: Wed, 5 Apr 2023 13:28:16 +0200 > > On Wed, Apr 5, 2023 at 12:41=E2=80=AFPM Dae R. Jeong wrote: > > > > > > Hi, > > > > > > We observed an issue "KASAN: use-after-free Read in tcp_write_timer_h= andler" during fuzzing. > > > > > > Unfortunately, we have not found a reproducer for the crash yet. We > > > will inform you if we have any update on this crash. Detailed crash > > > information is attached below. > > > > > > > Thanks for the report. > > > > I have dozens of similar syzbot reports, with no repro. > > > > I usually hold them, because otherwise it is just noise to mailing list= s. > > > > Normally, all user TCP sockets hold a reference on the netns > > > > In all these cases, we see a netns being dismantled while there is at > > least one socket with a live timer. > > > > This is therefore a kernel TCP socket, for which we do not have yet > > debugging infra ( REF_TRACKER ) > > > > CONFIG_NET_DEV_REFCNT_TRACKER=3Dy is helping to detect too many dev_put= (), > > we need something tracking the "kernel sockets" as well. > > Maybe I missed something, but we track kernel sockets with netns > by notrefcnt_tracker ? Oh right, I forgot I did this already :) commit 0cafd77dcd032d1687efaba5598cf07bce85997f Author: Eric Dumazet Date: Thu Oct 20 23:20:18 2022 +0000 net: add a refcount tracker for kernel sockets Dae, make sure to not send reports based on old kernels. Using 6.0-rc7 is a waste of your time, and everyone else reading this threa= d. I confess I did not check this, and I really should do that all the time. > > I thought now CONFIG_NET_NS_REFCNT_TRACKER can catch the case. > > > > > > Otherwise bugs in subsystems not properly dismantling their kernel > > socket at netns dismantle are next to impossible to track and fix. > > > > If anyone has time to implement this, feel free to submit patches. > > > > Thanks.