Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1314335rwl; Wed, 5 Apr 2023 15:20:24 -0700 (PDT) X-Google-Smtp-Source: AKy350aGxvRjwTTy+wsp8vRU5NN6MmNUKLy/cS7STHvpvQP+fPBX5ypeO9UYsT0VJ2rAmNFLLW9y X-Received: by 2002:a17:907:e86:b0:931:a164:8efa with SMTP id ho6-20020a1709070e8600b00931a1648efamr4347752ejc.70.1680733224049; Wed, 05 Apr 2023 15:20:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680733224; cv=none; d=google.com; s=arc-20160816; b=fxnXtqnmXoO4qoIop92tbM7VxosFy0soLSZgnwC5l80WZFOwK2V9cCaDI8dzzD4VMY MPPai8srqWkU3KyT+FXH1BMa+2EUMXpmzCkv0tNOGY5dO1lftbEDbcvw6kuAeTy5Lra1 bAvP3GtWf7bFqduLKYTtM48OUvcSC1JTjh+kkDo0p4RxkVhjH5PmeCsVTwoxwIWLFHby LqE4E+bEn0eEGGVh6BKKbhPCZ1UQ/bJIObM9XwfdpaX9aQPZHi3B9JI6O7h0gwApt53V 7eKRGSvgdJLg30XihLyBgYItr0Tprk2EKWEAw7X9hec3LxoCtRyvoAtOugDzcdSr841I cdjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=hEqIXUH9r3N7RlJaWcTaXBh5Rq77VEZamzqIxseklB4=; b=jLr5vIl/M19IQhr+g3EsFLPREUsHNy9uENMipIwrQaHkDvsOnhxdDcTF8BQbG3NRNL F+5fmZgEKO7obf3ONcDQFzEZQuayFozxxtcXibbZdTuw9zN2koDheBMsugZFFyusCloW CuIUtl/6Ca2hVMgOu+6JiE/vqYQ0sHukUbQYu0GyKRV/GJYqCmuyVA8/RXRGMoNXwrAI 6scuC2MzyqzV+Q5Y7KzTSOJVJG/KwQKcF+FSYP+g6zMzHm7SfaAeptiBtCSdA/nQ6n9o iBXlBP+Lzb5K7luuS3DSOxH4O3heZcRVEn0NeCGv4SwwiOQWC43DbvC0RgxGyHwCvu8k GrBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pmsiCnEQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f20-20020a170906495400b0094762d75453si2648707ejt.816.2023.04.05.15.19.58; Wed, 05 Apr 2023 15:20:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pmsiCnEQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233678AbjDEWRw (ORCPT + 99 others); Wed, 5 Apr 2023 18:17:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229608AbjDEWRq (ORCPT ); Wed, 5 Apr 2023 18:17:46 -0400 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62DAA5FFB; Wed, 5 Apr 2023 15:17:45 -0700 (PDT) Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-502234a1f08so738461a12.3; Wed, 05 Apr 2023 15:17:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680733064; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hEqIXUH9r3N7RlJaWcTaXBh5Rq77VEZamzqIxseklB4=; b=pmsiCnEQWWLWi/RWqC3RyJX0o62CeS8Z4fd/L+0yznB4p6bf5jzdc0q68BM6tEr8hZ 3DC9FudqGexE2bxpU4U1d2i7r4P3vOjHlFzz9Ee3cKjZqENKgm5/nCpUl5Jn3n9isu3/ wJYzG56ZnWGQk9zM47BdN29nL4oVczqMlLigDTT8VsJJjQYNkZy5Alb82F903roLy1Uf m39nLwErJdr+dNSK88w88IHH56g9BLF4VniO/3Xq88qgKajzWFhXXN1U32u8+NK/Nr4m 7+OgdOTa4lKVaveRtu8hh3wa75d6fd9iz486ZxTof0MAzkGQ6TifbSarDzDUGqRRgS/L zuMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680733064; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hEqIXUH9r3N7RlJaWcTaXBh5Rq77VEZamzqIxseklB4=; b=oLtdhAwpK4xccyKXBteesNhr0J+N1pDJNOG5byb8Jn/7hA/RF2UxtFF2bRs4gsDAkO EJg9aZ/Wrc5XQgiauRWPafnDCWIDQa8J4Fjbp/TYHt2mtI9dQAqvtiGe+y/IOwmF5Fr1 F6cBRzNbH3QXLD85dUtYH3Ck3FiuN6O88Yio0E0AgG3yy2wFs6fhwu9tdvLj35yqyju5 xeLzk8ZRUj3awbrg+2mdlIiZB+dyPE/RMfjIFwgD21q6pPYqhZMlTDevfXvM+35MI/J2 qcCM1sPDS0XjTGMUGz5bNDy/uYGEmvFQ1TPuDRB48Ns3IOyxffu1TAE+AxBkf0DPVO1c KQpg== X-Gm-Message-State: AAQBX9dcc4byrpbk2kmIM+/52doBQOr0yFvbhdsyh1TLuut6lDuLPR0H teknMfhsic5i1l3pdrGmEGRViyFM8DUcr94H34nVcuZP2wQ= X-Received: by 2002:a05:6402:b33:b0:500:2e94:26aa with SMTP id bo19-20020a0564020b3300b005002e9426aamr3744876edb.20.1680733063621; Wed, 05 Apr 2023 15:17:43 -0700 (PDT) MIME-Version: 1.0 References: <20230405194143.15708-1-kuniyu@amazon.com> In-Reply-To: From: "Dae R. Jeong" Date: Thu, 6 Apr 2023 07:17:30 +0900 Message-ID: Subject: Re: KASAN: use-after-free Read in tcp_write_timer_handler To: Eric Dumazet Cc: Kuniyuki Iwashima , bpf@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 6, 2023 at 4:48=E2=80=AFAM Eric Dumazet w= rote: > > On Wed, Apr 5, 2023 at 9:42=E2=80=AFPM Kuniyuki Iwashima wrote: > > > > From: Eric Dumazet > > Date: Wed, 5 Apr 2023 13:28:16 +0200 > > > On Wed, Apr 5, 2023 at 12:41=E2=80=AFPM Dae R. Jeong wrote: > > > > > > > > Hi, > > > > > > > > We observed an issue "KASAN: use-after-free Read in tcp_write_timer= _handler" during fuzzing. > > > > > > > > Unfortunately, we have not found a reproducer for the crash yet. We > > > > will inform you if we have any update on this crash. Detailed cras= h > > > > information is attached below. > > > > > > > > > > Thanks for the report. > > > > > > I have dozens of similar syzbot reports, with no repro. > > > > > > I usually hold them, because otherwise it is just noise to mailing li= sts. > > > > > > Normally, all user TCP sockets hold a reference on the netns > > > > > > In all these cases, we see a netns being dismantled while there is at > > > least one socket with a live timer. > > > > > > This is therefore a kernel TCP socket, for which we do not have yet > > > debugging infra ( REF_TRACKER ) > > > > > > CONFIG_NET_DEV_REFCNT_TRACKER=3Dy is helping to detect too many dev_p= ut(), > > > we need something tracking the "kernel sockets" as well. > > > > Maybe I missed something, but we track kernel sockets with netns > > by notrefcnt_tracker ? > > Oh right, I forgot I did this already :) > > commit 0cafd77dcd032d1687efaba5598cf07bce85997f > Author: Eric Dumazet > Date: Thu Oct 20 23:20:18 2022 +0000 > > net: add a refcount tracker for kernel sockets > > Dae, make sure to not send reports based on old kernels. > > Using 6.0-rc7 is a waste of your time, and everyone else reading this thr= ead. > > I confess I did not check this, and I really should do that all the time. I'm sorry and I understand your time is valuable. I will let you know when I observe this issue again. > > > > > I thought now CONFIG_NET_NS_REFCNT_TRACKER can catch the case. > > > > > > > > > > Otherwise bugs in subsystems not properly dismantling their kernel > > > socket at netns dismantle are next to impossible to track and fix. > > > > > > If anyone has time to implement this, feel free to submit patches. > > > > > > Thanks. Best regards, Dae R. Jeong.