* KASAN: use-after-free Read in tcp_retransmit_timer (5)
@ 2020-02-24 7:40 syzbot
2021-12-22 11:00 ` [syzbot] " syzbot
0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2020-02-24 7:40 UTC (permalink / raw)
To: andriin, ast, bpf, daniel, davem, edumazet, kafai, kuba, kuznet,
linux-kernel, netdev, songliubraving, syzkaller-bugs, yhs,
yoshfuji
Hello,
syzbot found the following crash on:
HEAD commit: 41f57cfd Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=1460da7ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=768cc3d3e277cc16
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+694120e1002c117747ed@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2c51/0x30e0 net/ipv4/tcp_timer.c:500
Read of size 8 at addr ffff888062cc0338 by task syz-executor.0/18199
CPU: 0 PID: 18199 Comm: syz-executor.0 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
tcp_retransmit_timer+0x2c51/0x30e0 net/ipv4/tcp_timer.c:500
tcp_write_timer_handler+0x6be/0x8d0 net/ipv4/tcp_timer.c:611
tcp_write_timer+0xac/0x2e0 net/ipv4/tcp_timer.c:631
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:slab_alloc mm/slab.c:3313 [inline]
RIP: 0010:__do_kmalloc mm/slab.c:3654 [inline]
RIP: 0010:__kmalloc+0x2b8/0x770 mm/slab.c:3665
Code: 7e 0f 85 d6 fe ff ff e8 a7 af 4c ff e9 cc fe ff ff e8 4c 6d c7 ff 48 83 3d dc f5 ff 07 00 0f 84 4f 03 00 00 48 8b 7d c0 57 9d <0f> 1f 44 00 00 e9 5e fe ff ff 31 d2 be 35 02 00 00 48 c7 c7 de dd
RSP: 0018:ffffc900019675a8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000c40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8880569e29d8 RDI: 0000000000000282
RBP: ffffc90001967620 R08: ffff8880569e2140 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: 0000000000000c40 R14: ffff8880aa402000 R15: ffff8880962fa000
kmalloc include/linux/slab.h:560 [inline]
tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x2a3/0x3e0 security/tomoyo/file.c:771
tomoyo_file_open security/tomoyo/tomoyo.c:319 [inline]
tomoyo_file_open+0xa9/0xd0 security/tomoyo/tomoyo.c:314
security_file_open+0x71/0x300 security/security.c:1529
do_dentry_open+0x37a/0x1380 fs/open.c:784
vfs_open+0xa0/0xd0 fs/open.c:914
do_last fs/namei.c:3490 [inline]
path_openat+0x12ee/0x3490 fs/namei.c:3607
do_filp_open+0x192/0x260 fs/namei.c:3637
do_sys_openat2+0x5eb/0x7e0 fs/open.c:1149
do_sys_open+0xf2/0x180 fs/open.c:1165
ksys_open include/linux/syscalls.h:1386 [inline]
__do_sys_open fs/open.c:1171 [inline]
__se_sys_open fs/open.c:1169 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1169
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4161c0
Code: 05 48 3d 01 f0 ff ff 0f 83 2d 19 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d ad 22 87 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff
RSP: 002b:00007ffd846aa178 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffd846aa1a4 RCX: 00000000004161c0
RDX: 00007ffd846aa1aa RSI: 0000000000080001 RDI: 00000000004c1fef
RBP: 00007ffd846aa1a0 R08: 0000000000008040 R09: 0000000000000004
R10: 0000000000000075 R11: 0000000000000246 R12: 00000000004c1fef
R13: 00007ffd846aa6c0 R14: 0000000000000000 R15: 00007ffd846aa6d0
Allocated by task 2861:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
__do_kmalloc_node mm/slab.c:3616 [inline]
__kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3630
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:142
__alloc_skb+0x10b/0x5e0 net/core/skbuff.c:210
alloc_skb include/linux/skbuff.h:1081 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:324 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:376 [inline]
nsim_dev_trap_report_work+0x25c/0xaf0 drivers/net/netdevsim/dev.c:415
process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
worker_thread+0x98/0xe40 kernel/workqueue.c:2410
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 2861:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
skb_free_head+0x93/0xb0 net/core/skbuff.c:590
skb_release_data+0x43c/0x8b0 net/core/skbuff.c:610
skb_release_all+0x4d/0x60 net/core/skbuff.c:664
__kfree_skb net/core/skbuff.c:678 [inline]
consume_skb net/core/skbuff.c:837 [inline]
consume_skb+0xfb/0x410 net/core/skbuff.c:831
nsim_dev_trap_report drivers/net/netdevsim/dev.c:390 [inline]
nsim_dev_trap_report_work+0x7cb/0xaf0 drivers/net/netdevsim/dev.c:415
process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
worker_thread+0x98/0xe40 kernel/workqueue.c:2410
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff888062cc0000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 824 bytes inside of
4096-byte region [ffff888062cc0000, ffff888062cc1000)
The buggy address belongs to the page:
page:ffffea00018b3000 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00024ce208 ffffea00029a7b08 ffff8880aa402000
raw: 0000000000000000 ffff888062cc0000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888062cc0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062cc0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888062cc0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888062cc0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062cc0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2020-02-24 7:40 KASAN: use-after-free Read in tcp_retransmit_timer (5) syzbot
@ 2021-12-22 11:00 ` syzbot
2022-04-09 8:19 ` Tetsuo Handa
0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2021-12-22 11:00 UTC (permalink / raw)
To: andrii, andriin, ast, bpf, daniel, davem, dsahern, edumazet,
john.fastabend, kafai, kpsingh, kuba, kuznet, linux-kernel,
netdev, songliubraving, syzkaller-bugs, tpa, yhs, yoshfuji
syzbot has found a reproducer for the following issue on:
HEAD commit: 819d11507f66 bpf, selftests: Fix spelling mistake "tained"..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=138bf80db00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22b66456935ee10
dashboard link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ccbcdb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fcccedb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+694120e1002c117747ed@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2ea2/0x3320 net/ipv4/tcp_timer.c:511
Read of size 8 at addr ffff888075d9b6d8 by task jbd2/sda1-8/2936
CPU: 1 PID: 2936 Comm: jbd2/sda1-8 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
tcp_retransmit_timer+0x2ea2/0x3320 net/ipv4/tcp_timer.c:511
tcp_write_timer_handler+0x5e6/0xbc0 net/ipv4/tcp_timer.c:622
tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x1c/0x60 kernel/kcov.c:200
Code: be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 65 8b 05 29 be 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 70 02 00 <a9> 00 01 ff 00 74 0e 85 c9 74 35 8b 82 a4 15 00 00 85 c0 74 2b 8b
RSP: 0018:ffffc9000cc8f7e0 EFLAGS: 00000246
RAX: 0000000080000001 RBX: 0000000000005460 RCX: 0000000000000000
RDX: ffff88807dcdd700 RSI: ffffffff82149a29 RDI: 0000000000000003
RBP: 0000000000008000 R08: 0000000000008000 R09: ffff88801d0598ff
R10: ffffffff82149a1c R11: 0000000000000000 R12: ffff88801d059a88
R13: 00000000ffffffff R14: ffff88801d059000 R15: 00000000ffffffff
mb_test_and_clear_bits+0xd9/0x240 fs/ext4/mballoc.c:1675
mb_free_blocks+0x364/0x1370 fs/ext4/mballoc.c:1811
ext4_free_data_in_buddy fs/ext4/mballoc.c:3662 [inline]
ext4_process_freed_data+0x56c/0x1070 fs/ext4/mballoc.c:3713
ext4_journal_commit_callback+0x11e/0x380 fs/ext4/super.c:449
jbd2_journal_commit_transaction+0x55a8/0x6be0 fs/jbd2/commit.c:1171
kjournald2+0x1d0/0x930 fs/jbd2/journal.c:213
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Allocated by task 3696:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247
kmem_cache_zalloc include/linux/slab.h:714 [inline]
net_alloc net/core/net_namespace.c:402 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:457
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 503:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530
net_free net/core/net_namespace.c:431 [inline]
net_free net/core/net_namespace.c:427 [inline]
cleanup_net+0x8ba/0xb00 net/core/net_namespace.c:614
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff888075d9b480
which belongs to the cache net_namespace of size 6464
The buggy address is located 600 bytes inside of
6464-byte region [ffff888075d9b480, ffff888075d9cdc0)
The buggy address belongs to the page:
page:ffffea0001d76600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75d98
head:ffffea0001d76600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011885000
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3693, ts 1611631437660, free_ts 92175173930
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247
kmem_cache_zalloc include/linux/slab.h:714 [inline]
net_alloc net/core/net_namespace.c:402 [inline]
copy_net_ns+0x125/0x760 net/core/net_namespace.c:457
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
__unfreeze_partials+0x343/0x360 mm/slub.c:2527
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270
__alloc_skb+0x215/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1126 [inline]
alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078
sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575
unix_dgram_sendmsg+0x3ec/0x1950 net/unix/af_unix.c:1811
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
sock_write_iter+0x289/0x3c0 net/socket.c:1057
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x1ee/0x250 fs/read_write.c:643
Memory state around the buggy address:
ffff888075d9b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075d9b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888075d9b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075d9b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075d9b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: be b0 01 00 00 mov $0x1b0,%esi
5: e8 b4 ff ff ff callq 0xffffffbe
a: 31 c0 xor %eax,%eax
c: c3 retq
d: 90 nop
e: 65 8b 05 29 be 8a 7e mov %gs:0x7e8abe29(%rip),%eax # 0x7e8abe3e
15: 89 c1 mov %eax,%ecx
17: 48 8b 34 24 mov (%rsp),%rsi
1b: 81 e1 00 01 00 00 and $0x100,%ecx
21: 65 48 8b 14 25 40 70 mov %gs:0x27040,%rdx
28: 02 00
* 2a: a9 00 01 ff 00 test $0xff0100,%eax <-- trapping instruction
2f: 74 0e je 0x3f
31: 85 c9 test %ecx,%ecx
33: 74 35 je 0x6a
35: 8b 82 a4 15 00 00 mov 0x15a4(%rdx),%eax
3b: 85 c0 test %eax,%eax
3d: 74 2b je 0x6a
3f: 8b .byte 0x8b
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2021-12-22 11:00 ` [syzbot] " syzbot
@ 2022-04-09 8:19 ` Tetsuo Handa
2022-04-09 16:46 ` Eric Dumazet
2022-04-22 14:40 ` Tetsuo Handa
0 siblings, 2 replies; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-09 8:19 UTC (permalink / raw)
To: bpf
Cc: syzbot, andrii, andriin, ast, daniel, davem, dsahern, edumazet,
john.fastabend, kafai, kpsingh, kuba, kuznet, netdev,
songliubraving, syzkaller-bugs, tpa, yhs, yoshfuji
Hello, bpf developers.
syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).
------------------------------------------------------------
[ 702.730585][ C1] ==================================================================
[ 702.743543][ C1] BUG: KASAN: use-after-free in tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.754301][ C1] Read of size 8 at addr ffff88801eed82b8 by task swapper/1/0
[ 702.765301][ C1]
[ 702.768527][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0 #710
[ 702.778323][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 702.790444][ C1] Call Trace:
[ 702.794903][ C1] <IRQ>
[ 702.798753][ C1] dump_stack_lvl+0xcd/0x134
[ 702.804962][ C1] print_address_description.constprop.0.cold+0x93/0x35d
[ 702.809861][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.813344][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.817099][ C1] kasan_report.cold+0x83/0xdf
[ 702.820010][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.823666][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
[ 702.827159][ C1] ? tcp_mstamp_refresh+0xf/0x60
[ 702.830448][ C1] ? tcp_delack_timer+0x290/0x290
[ 702.833410][ C1] ? mark_held_locks+0x65/0x90
[ 702.836790][ C1] ? ktime_get+0x365/0x420
[ 702.839893][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 702.843144][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 702.846621][ C1] ? ktime_get+0x2e6/0x420
[ 702.849334][ C1] tcp_write_timer_handler+0x32f/0x5f0
[ 702.852597][ C1] tcp_write_timer+0x86/0x250
[ 702.855736][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.859211][ C1] call_timer_fn+0x15d/0x5f0
[ 702.862327][ C1] ? enqueue_timer+0x3b0/0x3b0
[ 702.865295][ C1] ? lock_downgrade+0x3b0/0x3b0
[ 702.868462][ C1] ? mark_held_locks+0x24/0x90
[ 702.871511][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.875369][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 702.878610][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.882085][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 702.885866][ C1] run_timer_softirq+0xbdb/0xee0
[ 702.889127][ C1] ? call_timer_fn+0x5f0/0x5f0
[ 702.892021][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 702.895881][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 702.899151][ C1] __do_softirq+0x117/0x692
[ 702.901960][ C1] irq_exit_rcu+0xdb/0x110
[ 702.904885][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 702.908837][ C1] </IRQ>
[ 702.910666][ C1] <TASK>
[ 702.965995][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 703.023333][ C1] RIP: 0010:default_idle+0xb/0x10
[ 703.076496][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
[ 703.208123][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
[ 703.276495][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
[ 703.344388][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 703.411773][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
[ 703.477687][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
[ 703.537679][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
[ 703.603213][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
[ 703.667293][ C1] default_idle_call+0xb1/0x330
[ 703.728393][ C1] do_idle+0x37f/0x430
[ 703.789414][ C1] ? mark_held_locks+0x24/0x90
[ 703.852441][ C1] ? arch_cpu_idle_exit+0x30/0x30
[ 703.915057][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 703.971934][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 704.033376][ C1] ? preempt_count_sub+0xf/0xb0
[ 704.095999][ C1] cpu_startup_entry+0x14/0x20
[ 704.153464][ C1] start_secondary+0x1b7/0x220
[ 704.216128][ C1] ? set_cpu_sibling_map+0x1010/0x1010
[ 704.292706][ C1] secondary_startup_64_no_verify+0xc3/0xcb
[ 704.357456][ C1] </TASK>
[ 704.420920][ C1]
[ 704.483318][ C1] Allocated by task 4577:
[ 704.546652][ C1] kasan_save_stack+0x1e/0x40
[ 704.610435][ C1] __kasan_slab_alloc+0x90/0xc0
[ 704.671983][ C1] kmem_cache_alloc+0x1d7/0x760
[ 704.734249][ C1] copy_net_ns+0xaf/0x4a0
[ 704.795405][ C1] create_new_namespaces.isra.0+0x254/0x660
[ 704.858394][ C1] unshare_nsproxy_namespaces+0xb2/0x160
[ 704.920500][ C1] ksys_unshare+0x372/0x780
[ 704.983267][ C1] __x64_sys_unshare+0x1b/0x20
[ 705.046194][ C1] do_syscall_64+0x35/0xb0
[ 705.107899][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 705.169680][ C1]
[ 705.231276][ C1] Freed by task 8:
[ 705.294349][ C1] kasan_save_stack+0x1e/0x40
[ 705.359217][ C1] kasan_set_track+0x21/0x30
[ 705.422445][ C1] kasan_set_free_info+0x20/0x30
[ 705.481590][ C1] __kasan_slab_free+0x11a/0x160
[ 705.544098][ C1] kmem_cache_free+0xe6/0x6a0
[ 705.605324][ C1] net_free+0x89/0xb0
[ 705.666356][ C1] cleanup_net+0x64a/0x730
[ 705.728952][ C1] process_one_work+0x65c/0xda0
[ 705.792462][ C1] worker_thread+0x7f/0x760
[ 705.858871][ C1] kthread+0x1c6/0x210
[ 705.920770][ C1] ret_from_fork+0x1f/0x30
[ 705.978623][ C1]
[ 706.038487][ C1] The buggy address belongs to the object at ffff88801eed8000
[ 706.038487][ C1] which belongs to the cache net_namespace of size 6528
[ 706.161551][ C1] The buggy address is located 696 bytes inside of
[ 706.161551][ C1] 6528-byte region [ffff88801eed8000, ffff88801eed9980)
[ 706.272381][ C1] The buggy address belongs to the page:
[ 706.334149][ C1] page:ffffea00007bb600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eed8
[ 706.400096][ C1] head:ffffea00007bb600 order:3 compound_mapcount:0 compound_pincount:0
[ 706.460895][ C1] memcg:ffff88801921b441
[ 706.519144][ C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 706.585321][ C1] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888100024500
[ 706.652434][ C1] raw: 0000000000000000 0000000080040004 00000001ffffffff ffff88801921b441
[ 706.717358][ C1] page dumped because: kasan: bad access detected
[ 706.783699][ C1] page_owner tracks the page as allocated
[ 706.844889][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4577, ts 538093730950, free_ts 446175252650
[ 706.984997][ C1] prep_new_page+0x134/0x170
[ 707.056009][ C1] get_page_from_freelist+0x16c7/0x2510
[ 707.130614][ C1] __alloc_pages+0x29a/0x580
[ 707.204976][ C1] alloc_pages+0xda/0x1a0
[ 707.278364][ C1] new_slab+0x29e/0x3a0
[ 707.350591][ C1] ___slab_alloc+0xb66/0xf60
[ 707.416827][ C1] __slab_alloc.isra.0+0x4d/0xa0
[ 707.487734][ C1] kmem_cache_alloc+0x635/0x760
[ 707.560973][ C1] copy_net_ns+0xaf/0x4a0
[ 707.631583][ C1] create_new_namespaces.isra.0+0x254/0x660
[ 707.704556][ C1] unshare_nsproxy_namespaces+0xb2/0x160
[ 707.778185][ C1] ksys_unshare+0x372/0x780
[ 707.853990][ C1] __x64_sys_unshare+0x1b/0x20
[ 707.927571][ C1] do_syscall_64+0x35/0xb0
[ 707.999337][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 708.073634][ C1] page last free stack trace:
[ 708.145935][ C1] free_pcp_prepare+0x325/0x650
[ 708.219254][ C1] free_unref_page+0x19/0x360
[ 708.290288][ C1] __unfreeze_partials+0x320/0x340
[ 708.359731][ C1] qlist_free_all+0x6d/0x160
[ 708.431552][ C1] kasan_quarantine_reduce+0x13d/0x180
[ 708.505070][ C1] __kasan_slab_alloc+0xa2/0xc0
[ 708.577128][ C1] kmem_cache_alloc+0x1d7/0x760
[ 708.649556][ C1] vm_area_alloc+0x1c/0xa0
[ 708.725996][ C1] mmap_region+0x64f/0xc40
[ 708.786537][ C1] do_mmap+0x66b/0xa40
[ 708.861188][ C1] vm_mmap_pgoff+0x1aa/0x270
[ 708.921977][ C1] ksys_mmap_pgoff+0x357/0x410
[ 708.998067][ C1] do_syscall_64+0x35/0xb0
[ 709.072158][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 709.142294][ C1]
[ 709.210670][ C1] Memory state around the buggy address:
[ 709.286139][ C1] ffff88801eed8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.363031][ C1] ffff88801eed8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.429425][ C1] >ffff88801eed8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.496217][ C1] ^
[ 709.560374][ C1] ffff88801eed8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.634175][ C1] ffff88801eed8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 709.701217][ C1] ==================================================================
[ 709.767019][ C1] Disabling lock debugging due to kernel taint
[ 709.831133][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 709.890180][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.17.0 #710
[ 709.958293][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 710.031328][ C1] Call Trace:
[ 710.096636][ C1] <IRQ>
[ 710.165649][ C1] dump_stack_lvl+0xcd/0x134
[ 710.232724][ C1] panic+0x263/0x5fa
[ 710.300396][ C1] ? __warn_printk+0xf3/0xf3
[ 710.362683][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.425386][ C1] ? preempt_count_sub+0xf/0xb0
[ 710.487806][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.550567][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.612008][ C1] end_report.cold+0x63/0x6f
[ 710.671465][ C1] kasan_report.cold+0x71/0xdf
[ 710.731242][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.792468][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
[ 710.850296][ C1] ? tcp_mstamp_refresh+0xf/0x60
[ 710.911655][ C1] ? tcp_delack_timer+0x290/0x290
[ 710.972588][ C1] ? mark_held_locks+0x65/0x90
[ 711.033775][ C1] ? ktime_get+0x365/0x420
[ 711.091494][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 711.153223][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 711.210432][ C1] ? ktime_get+0x2e6/0x420
[ 711.269857][ C1] tcp_write_timer_handler+0x32f/0x5f0
[ 711.331006][ C1] tcp_write_timer+0x86/0x250
[ 711.391916][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.452155][ C1] call_timer_fn+0x15d/0x5f0
[ 711.517305][ C1] ? enqueue_timer+0x3b0/0x3b0
[ 711.580906][ C1] ? lock_downgrade+0x3b0/0x3b0
[ 711.642255][ C1] ? mark_held_locks+0x24/0x90
[ 711.703500][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.766484][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 711.828625][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.889862][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
[ 711.952756][ C1] run_timer_softirq+0xbdb/0xee0
[ 712.014027][ C1] ? call_timer_fn+0x5f0/0x5f0
[ 712.063350][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 712.125673][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 712.183626][ C1] __do_softirq+0x117/0x692
[ 712.245067][ C1] irq_exit_rcu+0xdb/0x110
[ 712.294611][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 712.363854][ C1] </IRQ>
[ 712.426802][ C1] <TASK>
[ 712.482854][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 712.542428][ C1] RIP: 0010:default_idle+0xb/0x10
[ 712.577029][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
[ 712.703886][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
[ 712.763854][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
[ 712.829677][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 712.893652][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
[ 712.956344][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
[ 713.020195][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
[ 713.083426][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
[ 713.144632][ C1] default_idle_call+0xb1/0x330
[ 713.207385][ C1] do_idle+0x37f/0x430
[ 713.269538][ C1] ? mark_held_locks+0x24/0x90
[ 713.332700][ C1] ? arch_cpu_idle_exit+0x30/0x30
[ 713.396223][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 713.460909][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 713.527012][ C1] ? preempt_count_sub+0xf/0xb0
[ 713.594736][ C1] cpu_startup_entry+0x14/0x20
[ 713.662751][ C1] start_secondary+0x1b7/0x220
[ 713.718784][ C1] ? set_cpu_sibling_map+0x1010/0x1010
[ 713.785338][ C1] secondary_startup_64_no_verify+0xc3/0xcb
[ 713.851417][ C1] </TASK>
[ 713.916633][ C1] Kernel Offset: disabled
[ 713.981646][ C1] Rebooting in 10 seconds..
------------------------------------------------------------
I managed to convert https://syzkaller.appspot.com/text?tag=ReproC&x=14fcccedb00000
into a single threaded simple reproducer shown below.
------------------------------------------------------------
// https://syzkaller.appspot.com/bug?id=8f0e04b2beffcd42f044d46879cc224f6eb71a99
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#ifndef MSG_PROBE
#define MSG_PROBE 0x10
#endif
struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};
static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size)
{
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0)
memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}
static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
int* reply_len, bool dofail)
{
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail)
exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len)
*reply_len = 0;
if (n < 0) {
if (dofail)
exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE)
return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}
static int netlink_send(struct nlmsg* nlmsg, int sock)
{
return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}
static void netlink_device_change(int sock, const char* name, const void* mac, int macsize)
{
struct nlmsg nlmsg;
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
hdr.ifi_index = if_nametoindex(name);
netlink_init(&nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(&nlmsg, IFLA_ADDRESS, mac, macsize);
netlink_send(&nlmsg, sock);
}
static void netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize)
{
struct nlmsg nlmsg;
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(&nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
sizeof(hdr));
netlink_attr(&nlmsg, IFA_LOCAL, addr, addrsize);
netlink_attr(&nlmsg, IFA_ADDRESS, addr, addrsize);
netlink_send(&nlmsg, sock);
}
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
}
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
}
static void initialize_netdevices(void)
{
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
uint64_t macaddr = 0x00aaaaaaaaaa;
if (fd == EOF)
exit(1);
netlink_add_addr4(fd, "lo", "172.20.20.10");
netlink_add_addr6(fd, "lo", "fe80::0a");
netlink_device_change(fd, "lo", &macaddr, ETH_ALEN);
close(fd);
}
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static const char program[2053] =
"\xbf\x16\x00\x00\x00\x00\x00\x00\xb7\x07\x00\x00\x01\x00\xf0\xff\x50\x70"
"\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\xc0\x00\x95\x00\x00\x00"
"\x00\x00\x00\x00\x2b\xa7\x28\x04\x15\x98\xd6\xfb\xd3\x0c\xb5\x99\xe8\x3d"
"\x24\xbd\x81\x37\xa3\xaa\x81\xe0\xed\x13\x9a\x85\xd3\x6b\xb3\x01\x9c\x13"
"\xbd\x23\x21\xaf\x3c\xf1\xa5\x4f\x26\xfb\xbf\x22\x0b\x71\xd0\xe6\xad\xfe"
"\xfc\xf1\xd8\xf7\xfa\xf7\x5e\x0f\x22\x6b\xd9\x17\x48\x79\x60\x71\x71\x42"
"\xfa\x9e\xa4\x31\x81\x23\x75\x1c\x0a\x0e\x16\x8c\x18\x86\xd0\xd4\xd3\x53"
"\x79\xbd\x22\x3e\xc8\x39\xbc\x16\xee\x98\x8e\x6e\x0d\xc8\xce\xdf\x3c\xeb"
"\x9f\xbf\xbf\x9b\x0a\x4d\xef\x23\xd4\x30\xf6\x09\x6b\x32\xa8\x34\x38\x81"
"\x07\x20\xa1\x59\xcd\xa9\x03\x63\xdb\x3d\x22\x1e\x15\x2d\xdc\xa6\x40\x57"
"\xff\x3c\x47\x44\xae\xac\xcd\x36\x41\x11\x0b\xec\x4e\x90\x27\xa0\xc8\x05"
"\x5b\xbf\xc3\xa9\x6d\x2e\x89\x10\xc2\xc3\x9e\x4b\xab\xe8\x02\xf5\xab\x3e"
"\x89\xcf\x6c\x66\x2e\xd4\x04\x8d\x3b\x3e\x22\x27\x8d\x00\x03\x1e\x53\x88"
"\xee\x5c\x6e\xce\x1c\xcb\x0c\xd2\xb6\xd3\xcf\xfd\x96\x9d\x18\xce\x74\x00"
"\x68\x72\x5c\x37\x07\x4e\x46\x8e\xe2\x07\xd2\xf7\x39\x02\xea\xcf\xcf\x49"
"\x82\x27\x75\x98\x5b\xf3\x1b\x71\x5f\x58\x88\xb2\xfd\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x60\xdb\xe7\x1c\xce\xee\x10\x00"
"\x00\xdd\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\xdd\xff\xff\xff"
"\x00\x00\xb2\x7c\xf3\xd1\x84\x8a\x54\xd7\x13\x2b\xe1\xff\xb0\xad\xf9\xde"
"\xab\x33\x23\xaa\x9f\xdf\xb5\x2f\xaf\x9c\xb0\x9c\x3b\xfd\x09\x00\x00\x00"
"\xb9\x1a\xb2\x19\xef\xde\xbb\x7b\x3d\xe8\xf6\x75\x81\xcf\x79\x6a\xad\x42"
"\x23\xb9\xff\x7f\xfc\xad\x3f\x6c\x96\x2b\x9f\x03\x00\x00\x00\x00\x00\x00"
"\x00\x1c\xf4\x1a\xb1\x1f\x12\xfb\x1e\x0a\x49\x40\x34\x00\x7d\xe7\xc6\x59"
"\x2d\xf1\xa6\xc6\x4d\x8f\x20\xa6\x77\x45\x40\x9e\x01\x1f\x12\x64\xd4\x3f"
"\x15\x3b\x3d\x34\x89\x9f\x40\x15\x9e\x80\x0e\xa2\x47\x4b\x54\x05\x00\xa3"
"\x0b\x23\xbc\xee\x46\x76\x2c\x20\x93\xbc\xc9\xea\xe5\xee\x3e\x98\x00\x26"
"\xc9\x6f\x80\xee\x1a\x74\xe0\x4b\xde\x74\x07\x50\xfa\x4d\x9a\xaa\x70\x59"
"\x89\xb8\xe6\x73\xe3\x29\x6e\x52\xd3\x37\xc5\x6a\xbf\x11\x28\x74\xec\x51"
"\xd6\xfe\x04\x8b\xa6\x86\x6a\xde\xba\xb5\x31\x68\x77\x0a\x71\xad\x90\x1a"
"\xce\x38\x3e\x41\xd2\x77\xb1\x03\x92\x3a\x9d\x97\x1f\x7a\x25\x91\xdb\xe4"
"\xa9\x12\xff\xaf\x6f\x65\x8f\x3f\x9c\xd1\x62\x86\x74\x4f\x83\xa8\x3f\x13"
"\x8f\x8f\x92\xef\xd9\x22\x39\xea\xfc\xe5\xc1\xb3\xf9\x7a\x29\x7c\x9e\x49"
"\xa0\xc3\x30\x0e\xf7\xb7\xfb\x5f\x09\xe0\xc8\xa8\x68\xa3\x53\x40\x9e\x34"
"\xd3\xe8\x22\x79\x63\x75\x99\xf3\x5a\xd3\xf7\xff\xff\xff\x3c\xac\x39\x4c"
"\x7b\xbd\xcd\x0e\x0e\xb5\x21\x89\x2c\x0f\x32\x01\x5b\xf4\xf2\x26\xa4\xe7"
"\x0f\x03\xcc\x41\x46\xa7\x7a\xf0\x2c\x1d\x4c\xef\xd4\xa2\xb9\x4c\x0a\xed"
"\x84\x77\xdf\xa8\xce\xef\xb4\x67\xf0\x5c\x69\x77\xc7\x8c\xdb\xf3\x77\x04"
"\xec\x73\x75\x55\x39\x2a\x0b\x06\x4b\xda\xba\x71\xf8\x97\x14\x49\x10\xfe"
"\x05\x00\x38\xec\x9e\x47\xde\x89\x29\x8b\x7b\xf4\xd7\x69\xcc\xc1\x8e\xed"
"\xe0\x06\x8c\xa1\x45\x78\x70\xeb\x30\xd2\x11\xe2\x3c\xcc\x8e\x06\xdd\xde"
"\xb6\x17\x99\x25\x7a\xb5\x5f\xf4\x13\xc8\x6b\xa9\xaf\xfb\x12\xec\x75\x7c"
"\x72\x34\xc2\x70\x24\x6c\x87\x8d\x01\x16\x0e\x6c\x07\xbf\x6c\xf8\x80\x9c"
"\x3a\x0d\x06\x23\x57\xba\x25\x15\x56\x72\x30\xad\x1e\x1f\x49\x33\x54\x5f"
"\xc3\xc7\x41\x37\x36\x11\x66\x3f\x6b\x63\xb1\xdd\x04\x4d\xd0\xa2\x76\x8e"
"\x82\x59\x72\xea\x3b\x77\x64\x14\x67\xc8\x9f\xa0\xf8\x2e\x84\x40\x10\x50"
"\x51\xe5\x51\x0a\x33\xdc\xda\x5e\x4e\x20\x2b\xd6\x22\x54\x9c\x4c\xff\x3f"
"\x5e\x50\x1d\x3a\x5d\xd7\x14\x3f\xbf\x22\x1f\xff\x16\x1c\x12\xca\x38\x95"
"\xa3\x00\x00\x00\x00\x00\x00\x0f\xff\x75\x06\x7d\x2a\x21\x4f\x8c\x9d\x9b"
"\x2e\xcf\x63\x01\x6c\x5f\xd9\xc2\x6a\x54\xd4\x3f\xa0\x50\xb8\x8d\x1d\x43"
"\xa8\x64\x5b\xd9\x76\x9b\x7e\x07\x86\x9b\xba\x71\x31\x42\x1c\x0f\x39\x11"
"\x3b\xe7\x66\x4e\x08\xbd\xd7\x11\x5c\x61\xaf\xcb\x71\x8c\xf3\xc4\x68\x0b"
"\x2f\x6c\x7a\x84\x00\xe3\x78\xa9\xb1\x5b\xc2\x0f\x49\xe2\x98\x72\x73\x40"
"\xe8\x7c\xde\xfb\x40\xe5\x6e\x9c\xfa\xd9\x73\x34\x7d\x0d\xe7\xba\x47\x54"
"\xff\x23\x1a\x1b\x93\x3d\x8f\x93\x1b\x8c\x55\x2b\x2c\x7c\x50\x3f\x3d\x0e"
"\x7a\xb0\xe9\x58\xad\xb8\x62\x82\x2e\x40\x00\x99\x95\xae\x16\x6d\xeb\x98"
"\x56\x29\x1a\x43\xa6\xf7\xeb\x2e\x32\xce\xfb\xf4\x63\x78\x9e\xaf\x79\xb8"
"\xd4\xc2\xbf\x0f\x7a\x2c\xb0\x32\xda\xd1\x30\x07\xb8\x2e\x60\xdb\xe9\x86"
"\x4a\x11\x7d\x27\x32\x68\x50\xa7\xc3\xb5\x70\x86\x3f\x53\x2c\x21\x8b\x10"
"\xaf\x13\xd7\xbe\x94\x98\x70\x05\x08\x8a\x83\x88\x0c\xca\xb9\xc9\x92\x0c"
"\x2d\x2a\xf8\xc5\xe1\x3d\x52\xc8\x3a\xc3\xfa\x7c\x3a\xe6\xc0\x83\x84\x86"
"\x5b\x66\xd2\xb4\xdc\xb5\xdd\x9c\xba\x16\xb6\x20\x40\xbf\x87\x02\xae\x12"
"\xc7\x7e\x6e\x34\x99\x1a\xf6\x03\xe3\x85\x6a\x34\x6c\xf7\xf9\xfe\xeb\x70"
"\x88\xae\xda\x89\x0c\xf8\xa4\xa6\xf3\x1b\xa6\xd9\xb8\xcb\x09\x8f\x93\x5b"
"\xdc\xbb\x29\xfd\x0f\x1a\x34\x2c\x01\x00\x00\x00\x00\x00\x00\x00\x48\xa9"
"\xde\xa0\x00\x00\x3a\x85\x67\xa7\x59\x2b\x33\x40\x6f\x1f\x71\xc7\x39\xb5"
"\x5d\xb9\x1d\x23\x09\xdc\x7a\xe4\x01\x00\x5f\x52\x05\x3a\x39\xe7\x30\x7c"
"\x09\xff\x3a\xc3\xe8\x20\xb0\x1c\x57\xdd\x74\xd4\xaa\xfc\x4c\x38\x3a\x17"
"\xbc\x1d\xe5\x34\x7b\xb7\x1c\xa1\x6d\xcb\xbb\xaa\x29\x35\xf6\x02\x32\x59"
"\x84\x38\x6b\x21\xb9\x64\x92\xae\x66\x20\x82\xb5\x6c\xf6\x66\xe6\x3a\x75"
"\x7c\x0e\xf3\xea\x7a\xf6\x88\x15\x13\xbe\x94\xb3\x66\xe1\x5f\xfc\xa8\xec"
"\x45\x3b\x3a\x2a\x67\xbe\xdc\xa1\xc7\x66\x95\x22\xe8\xdf\xf8\xbc\x57\x0a"
"\x93\xfb\xdb\x68\x8c\x3a\xef\xd4\x75\x01\x27\x7a\x6e\xa6\xb1\x11\x63\x39"
"\x2a\x19\xd8\x79\x95\xb5\x1c\x96\xfe\xbd\x5f\x24\xa3\x49\x98\xd2\x01\x0f"
"\xd5\xfa\xcf\x68\xc4\xf8\x4e\x2f\x66\xe2\x7c\x81\xa1\x49\xd7\xb3\x31\x98"
"\x3d\x3b\x74\x44\x49\x53\xfc\x12\x16\xdf\xec\x10\xb7\x24\xbe\x37\x33\xc2"
"\x6f\x12\x53\x83\x76\xe1\x77\xff\xef\x6f\xd2\x60\x3b\xfa\xb9\x68\x31\x95"
"\x7a\x08\xe4\x91\x9a\x46\x3d\x53\x32\xa2\x54\x60\x32\xa3\xc0\x6b\x94\xf1"
"\x68\xe8\xfc\x4b\xda\x0c\x29\x47\x23\xfe\x30\x6f\x26\xc4\x77\xaf\x4b\x92"
"\x66\x44\x67\x29\x85\xfa\xb7\xcc\x67\xbc\x5b\x5f\x5d\x38\xcd\xd8\xdf\x95"
"\x14\x7e\xbe\x1c\xd8\x8b\x0a\x2f\xbb\xde\x99\x51\xbe\x42\x82\x7d\xfd\xdf"
"\xef\xb2\x38\xfa\xc2\x30\x3c\xc8\x98\x2f\x1e\x55\xb0\x05\xaf\xcf\xea\x5e"
"\xb0\x37\x24\x8f\xef\xad\x6b\xb0\x2c\x16\x2c\xe9\x2a\xb1\x27\x13\x52\x2b"
"\x97\x50\x6c\x26\x77\x44\xc8\xec\x3d\x2e\x80\xcf\x32\x05\xd3\x66\x99\xfd"
"\x38\x1b\xc8\x12\x31\xfb\x5e\x12\xe4\x5f\x30\x59\xf3\x61\xd0\x8d\x6a\x6d"
"\x01\xdd\x79\xca\x9b\xfb\x4e\x06\x25\x94\x27\xb0\x29\x44\x7a\x3e\xd7\x0a"
"\x2b\x70\xbe\x52\x1e\xa2\x7d\xc8\xcf\x3c\x9b\xdf\x83\xb9\x34\x05\xdb\x07"
"\xe8\x2e\x2d\xdf\x4c\x4d\x26\xf1\xcd\xd8\xc3\xc9\x73\x6c\xf5\xe5\x08\x6d"
"\xe3\xb4\x84\xf8\x67\x3e\x0e\x97\xdd\x7e\x8a\x87\x21\x48\x61\x3c\x3a\xea"
"\xf2\xd6\x7f\x43\x75\xba\x5c\x7f\x1b\x00\x33\xf8\xdf\xe0\x1d\x9c\xb2\xa7"
"\x08\x01\xf7\x63\x52\x4e\x1d\x79\xd8\x12\xce\xd7\x82\x64\x6b\x5f\x79\xc8"
"\xfc\x08\xbb\x5c\x11\x02\x01\x08\xd7\x02\xed\xd2\xea\x9c\x96\xcf\xcb\x90"
"\x66\x66\x86\x27\x82\x0d\x2d\x48\xaa\x5f\xc0\xa7\xbf\x1b\x51\xaf\xd8\x53"
"\x50\xad\x00\xb7\x8c\x59\x8f\xa8\x70\x1b\x40\x08\x84\xde\x79\x0b\x54\xe5"
"\xab\x2e\x8f\xf0\xc7\xae\x23\xe0\xb6\xee\xac\x95\xc4\xc2\xee\xf2\xe5\xeb"
"\x1d\x01\x9d\x52\x09\x9f\xbd\x40\x4e\x8e\xce\x97\x0f\x67\x73\x6b\xa7\xe9"
"\x60\xbd\x8b\x1e\x41\x05\xce\x7e\x31\xf7\xc9\xc3\xe3\xfa\x61\xaa\xb9\x67"
"\x56\x5e\x04\x00\x00\x00\x00\x00\x00\x00\xa8\xcf\xda\x89\x0a\x98\xb9\x00"
"\x87\xe9\x1d\x70\x3e\x98\x53\x5b\x10\x7b\x8f\x46\x53\xbe\x4c\x46\xa3\xa1"
"\xad\xb0\x7d\x22\x69\x52\xb8\x57\x3b\x41\x70\x18\x31\x6f\xa9\x00\x00\x00"
"\x00\x00\x00\x00\x00\x41\x22\xc8\x63\x70\x9b\x08\xd4\x63\x9a\x2c\xa4\x6a"
"\xc9\x0a\xc4\x29\x13\xee\x9b\xca\xa8\x75\xfc\x70\x0b\xa3\x67\xca\x31\x82"
"\x10\x59\x60\xbe\xf3\x37\x8a\x98\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x25\x03\x18\xa4\x4a\xae\xbd\xe8\x49"
"\x58\x0d\x86\xd1\xaf\xb0\x2a\x49\x6c\x35\xca\x95\x0d\x60\xa3\xd9\x7f\x23"
"\xac\x37\xf8\x80\xdd\xc3\xb1\x7b\x12\x09\xb0\x03\xc3\x33\x4b\x1c\xc0\xdb"
"\x48\x3e\x24\x43\x69\x5f\xc9\x5e\xbb\x83\x20\xc9\xad\xee\x62\x94\x51\x4c"
"\x2c\xa4\x2a\x10\x48\x28\x6d\x70\xd6\x29\x8c\xe1\x4d\x03\x1d\x04\x7b\x08"
"\x0a\x76\x8b\x9d\xc3\x0e\x64\x40\xa1\x03\x0a\xcf\x39\x13\xa5\x78\x65\xa2"
"\x77\xce\x60\xe4\x2c\xe3\xb6\xb4\x3b\x4e\x18\xd5\xb5\x3f\xa1\x9f\x94\x69"
"\x01\x59\x04\xc7\xbb\xde\xf5\xd8\x90\x1f\xff\x46\x14\x77\xe0\x06\xa7\xaa"
"\x3f\x5e\xb4\x80\x09\x82\xcb\x62\x93\x5c\x26\x49\x00\xd9\xb2\xeb\xf2\x7c"
"\xd9\x99\x3f\xce\x0b\x10\x71\xd0\x51\x69\xf3\x38\x60\x91\xcf\xc4\x7d\xe1"
"\x09\xf9\x73\x47\x43\x4b\x79\x06\x40\x76\xe2\xb6\xea\x28\xd6\x9e\xbb\x75"
"\x0d";
static const char license[4] = "GPL";
static void execute_one(void)
{
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 5,
.insns = (unsigned long long) program,
.license = (unsigned long long) license,
};
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = htons(0x4001),
.sin_addr.s_addr = inet_addr("172.20.20.180")
};
const struct msghdr msg = {
.msg_name = &addr,
.msg_namelen = sizeof(addr),
};
const int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, 72);
const int sock_fd = socket(PF_INET, SOCK_STREAM, 0);
alarm(3);
while (1) {
sendmsg(sock_fd, &msg, MSG_OOB | MSG_PROBE | MSG_CONFIRM | MSG_FASTOPEN);
setsockopt(sock_fd, SOL_SOCKET, SO_ATTACH_BPF, &bpf_fd, sizeof(bpf_fd));
}
}
int main(int argc, char *argv[])
{
if (unshare(CLONE_NEWNET))
return 1;
initialize_netdevices();
execute_one();
return 0;
}
------------------------------------------------------------
I don't know what this bpf program is doing, but I suspect that this bpf
program somehow involves PF_INET6 socket without taking a reference to
the net namespace which this bpf program runs.
Below is debug printk() patch for 5.17 which I used for tracing.
------------------------------------------------------------
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 5b61c462e534..a2fd96da8e21 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -178,6 +178,7 @@ struct net {
#if IS_ENABLED(CONFIG_SMC)
struct netns_smc smc;
#endif
+ struct list_head struct_net_users;
} __randomize_layout;
#include <linux/seq_file_net.h>
@@ -243,41 +244,16 @@ void ipx_unregister_sysctl(void);
void __put_net(struct net *net);
/* Try using get_net_track() instead */
-static inline struct net *get_net(struct net *net)
-{
- refcount_inc(&net->ns.count);
- return net;
-}
+extern struct net *get_net(struct net *net);
-static inline struct net *maybe_get_net(struct net *net)
-{
- /* Used when we know struct net exists but we
- * aren't guaranteed a previous reference count
- * exists. If the reference count is zero this
- * function fails and returns NULL.
- */
- if (!refcount_inc_not_zero(&net->ns.count))
- net = NULL;
- return net;
-}
+extern struct net *maybe_get_net(struct net *net);
/* Try using put_net_track() instead */
-static inline void put_net(struct net *net)
-{
- if (refcount_dec_and_test(&net->ns.count))
- __put_net(net);
-}
+extern void put_net(struct net *net);
-static inline
-int net_eq(const struct net *net1, const struct net *net2)
-{
- return net1 == net2;
-}
+extern int net_eq(const struct net *net1, const struct net *net2);
-static inline int check_net(const struct net *net)
-{
- return refcount_read(&net->ns.count) != 0;
-}
+extern int check_net(const struct net *net);
void net_drop_ns(void *);
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 29e41ff3ec93..df89ff3dfa41 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -118,7 +118,7 @@ static inline void __reqsk_free(struct request_sock *req)
if (req->rsk_listener)
sock_put(req->rsk_listener);
kfree(req->saved_syn);
- kmem_cache_free(req->rsk_ops->slab, req);
+ //kmem_cache_free(req->rsk_ops->slab, req);
}
static inline void reqsk_free(struct request_sock *req)
diff --git a/include/net/sock.h b/include/net/sock.h
index 50aecd28b355..d2f386f9aa73 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -540,6 +540,7 @@ struct sock {
#endif
struct rcu_head sk_rcu;
netns_tracker ns_tracker;
+ struct list_head struct_net_user;
};
enum sk_pacing {
@@ -2704,17 +2705,10 @@ static inline void sk_eat_skb(struct sock *sk, struct sk_buff *skb)
__kfree_skb(skb);
}
-static inline
-struct net *sock_net(const struct sock *sk)
-{
- return read_pnet(&sk->sk_net);
-}
-
-static inline
-void sock_net_set(struct sock *sk, struct net *net)
-{
- write_pnet(&sk->sk_net, net);
-}
+extern struct net *sock_net(const struct sock *sk);
+extern void sock_net_set(struct sock *sk, struct net *net);
+extern void sock_net_start_tracking(struct sock *sk, struct net *net);
+extern void sock_net_end_tracking(struct sock *sk);
static inline bool
skb_sk_is_prefetched(struct sk_buff *skb)
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index a5b5bb99c644..cf4e8b224654 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -26,6 +26,8 @@
#include <net/net_namespace.h>
#include <net/netns/generic.h>
+DEFINE_SPINLOCK(net_users_lock);
+
/*
* Our network namespace constructor/destructor lists
*/
@@ -50,6 +52,7 @@ struct net init_net = {
#ifdef CONFIG_KEYS
.key_domain = &init_net_key_domain,
#endif
+ .struct_net_users = LIST_HEAD_INIT(init_net.struct_net_users),
};
EXPORT_SYMBOL(init_net);
@@ -406,6 +409,7 @@ static struct net *net_alloc(void)
net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
if (!net)
goto out_free;
+ INIT_LIST_HEAD(&net->struct_net_users);
#ifdef CONFIG_KEYS
net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL);
@@ -432,7 +436,7 @@ static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
+ //kmem_cache_free(net_cachep, net);
}
}
@@ -637,8 +641,46 @@ EXPORT_SYMBOL(net_ns_barrier);
static DECLARE_WORK(net_cleanup_work, cleanup_net);
+struct to_be_destroyed_net {
+ struct list_head list;
+ struct net *net;
+};
+
+static LIST_HEAD(to_be_destroyed_net_list);
+static DEFINE_SPINLOCK(to_be_destroyed_net_list_lock);
+
+bool is_to_be_destroyed_net(struct net *net)
+{
+ unsigned long flags;
+ struct to_be_destroyed_net *entry;
+ bool found = false;
+
+ spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
+ list_for_each_entry(entry, &to_be_destroyed_net_list, list) {
+ if (entry->net == net) {
+ found = true;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
+ return found;
+}
+EXPORT_SYMBOL(is_to_be_destroyed_net);
+
void __put_net(struct net *net)
{
+ struct to_be_destroyed_net *entry = kzalloc(sizeof(*entry), GFP_ATOMIC | __GFP_NOWARN);
+ unsigned long flags;
+
+ if (entry) {
+ entry->net = net;
+ spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
+ list_add_tail(&entry->list, &to_be_destroyed_net_list);
+ spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
+ }
+ pr_info("Releasing net=%px net->ns.count=%d in_use=%d\n",
+ net, refcount_read(&net->ns.count), sock_inuse_get(net));
+ dump_stack();
ref_tracker_dir_exit(&net->refcnt_tracker);
/* Cleanup the network namespace in process context */
if (llist_add(&net->cleanup_list, &cleanup_list))
@@ -1382,4 +1424,113 @@ const struct proc_ns_operations netns_operations = {
.install = netns_install,
.owner = netns_owner,
};
+
+struct net *get_net(struct net *net)
+{
+ refcount_inc(&net->ns.count);
+ if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(get_net);
+
+struct net *maybe_get_net(struct net *net)
+{
+ /* Used when we know struct net exists but we
+ * aren't guaranteed a previous reference count
+ * exists. If the reference count is zero this
+ * function fails and returns NULL.
+ */
+ if (!refcount_inc_not_zero(&net->ns.count))
+ net = NULL;
+ else if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(maybe_get_net);
+
+void put_net(struct net *net)
+{
+ if (net != &init_net) {
+ pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ if (refcount_dec_and_test(&net->ns.count))
+ __put_net(net);
+}
+EXPORT_SYMBOL(put_net);
+
+int net_eq(const struct net *net1, const struct net *net2)
+{
+ return net1 == net2;
+}
+EXPORT_SYMBOL(net_eq);
+
+int check_net(const struct net *net)
+{
+ return refcount_read(&net->ns.count) != 0;
+}
+EXPORT_SYMBOL(check_net);
+
+void sock_net_start_tracking(struct sock *sk, struct net *net)
+{
+ unsigned long flags;
+
+ if (net == &init_net)
+ return;
+ spin_lock_irqsave(&net_users_lock, flags);
+ list_add_tail(&sk->struct_net_user, &net->struct_net_users);
+ spin_unlock_irqrestore(&net_users_lock, flags);
+}
+
+void sock_net_end_tracking(struct sock *sk)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&net_users_lock, flags);
+ list_del(&sk->struct_net_user);
+ spin_unlock_irqrestore(&net_users_lock, flags);
+}
+
+struct net *sock_net(const struct sock *sk)
+{
+ struct net *net = read_pnet(&sk->sk_net);
+ unsigned long flags;
+ bool found = false;
+ struct sock *s;
+
+ if (net == &init_net)
+ return net;
+ spin_lock_irqsave(&net_users_lock, flags);
+ BUG_ON(!net->struct_net_users.next);
+ BUG_ON(!net->struct_net_users.prev);
+ list_for_each_entry(s, &net->struct_net_users, struct_net_user) {
+ BUG_ON(!s->struct_net_user.next);
+ BUG_ON(!s->struct_net_user.prev);
+ if (s == sk) {
+ found = true;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(&net_users_lock, flags);
+ if (!found) {
+ pr_info("sock=%px is accessing untracked net=%px\n", sk, net);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ dump_stack();
+ }
+ return net;
+}
+EXPORT_SYMBOL(sock_net);
+
+void sock_net_set(struct sock *sk, struct net *net)
+{
+ write_pnet(&sk->sk_net, net);
+}
+EXPORT_SYMBOL(sock_net_set);
+
#endif
diff --git a/net/core/sock.c b/net/core/sock.c
index 6eb174805bf0..3c303117e3bb 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1904,6 +1904,7 @@ static void sock_copy(struct sock *nsk, const struct sock *osk)
nsk->sk_security = sptr;
security_sk_clone(osk, nsk);
#endif
+ sock_net_start_tracking(nsk, read_pnet(&nsk->sk_net));
}
static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
@@ -1953,10 +1954,12 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
cgroup_sk_free(&sk->sk_cgrp_data);
mem_cgroup_sk_free(sk);
security_sk_free(sk);
+ /*
if (slab != NULL)
kmem_cache_free(slab, sk);
else
kfree(sk);
+ */
module_put(owner);
}
@@ -1989,6 +1992,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
sock_inuse_add(net, 1);
}
+ sock_net_start_tracking(sk, net);
sock_net_set(sk, net);
refcount_set(&sk->sk_wmem_alloc, 1);
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 20cf4a98c69d..412bee1dc9cb 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -433,6 +433,7 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req)
TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX);
}
+extern bool is_to_be_destroyed_net(struct net *net);
/**
* tcp_retransmit_timer() - The TCP retransmit timeout handler
@@ -453,6 +454,13 @@ void tcp_retransmit_timer(struct sock *sk)
struct request_sock *req;
struct sk_buff *skb;
+ if (is_to_be_destroyed_net(net)) {
+ pr_info("BUG: Trying to access destroyed net=%px sk=%px\n", net, sk);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ WARN_ON(1);
+ }
+
req = rcu_dereference_protected(tp->fastopen_rsk,
lockdep_sock_is_held(sk));
if (req) {
@@ -636,6 +644,7 @@ static void tcp_write_timer(struct timer_list *t)
struct inet_connection_sock *icsk =
from_timer(icsk, t, icsk_retransmit_timer);
struct sock *sk = &icsk->icsk_inet.sk;
+ struct net *net = sock_net(sk);
bh_lock_sock(sk);
if (!sock_owned_by_user(sk)) {
@@ -647,6 +656,11 @@ static void tcp_write_timer(struct timer_list *t)
}
bh_unlock_sock(sk);
sock_put(sk);
+ if (is_to_be_destroyed_net(net)) {
+ pr_info("INFO: About to destroy net=%px sk=%px\n", net, sk);
+ pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
+ sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
+ }
}
void tcp_syn_ack_timeout(const struct request_sock *req)
------------------------------------------------------------
And below is console output with this printk() patch.
------------------------------------------------------------
[ 83.642910][ T2875] net_namespace: net=ffff888036278000 count=2
[ 83.645415][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.648311][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.651893][ T2875] Call Trace:
[ 83.653239][ T2875] <TASK>
[ 83.654540][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.656428][ T2875] get_net.cold+0x21/0x26
[ 83.658194][ T2875] sk_alloc+0x1ca/0x8a0
[ 83.659979][ T2875] __netlink_create+0x44/0x160
[ 83.662246][ T2875] netlink_create+0x210/0x310
[ 83.664146][ T2875] ? do_set_master+0x100/0x100
[ 83.666538][ T2875] __sock_create+0x20e/0x4f0
[ 83.668648][ T2875] __sys_socket+0x6f/0x140
[ 83.670597][ T2875] __x64_sys_socket+0x1a/0x20
[ 83.672385][ T2875] do_syscall_64+0x35/0xb0
[ 83.674069][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.676201][ T2875] RIP: 0033:0x7fbbed5067db
[ 83.677873][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 83.685279][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 83.688515][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 83.691782][ T2875] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010
[ 83.694835][ T2875] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fbbed617d50
[ 83.697960][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 000055a16962f410
[ 83.701245][ T2875] R13: 00007ffd7a1e7810 R14: 0000000000000000 R15: 0000000000000000
[ 83.704951][ T2875] </TASK>
[ 83.708603][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.712187][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.715235][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.718777][ T2875] Call Trace:
[ 83.720083][ T2875] <TASK>
[ 83.721401][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.723313][ T2875] get_net.cold+0x21/0x26
[ 83.725388][ T2875] get_proc_task_net+0x99/0x1c0
[ 83.727321][ T2875] proc_tgid_net_lookup+0x21/0x60
[ 83.729327][ T2875] __lookup_slow+0x146/0x280
[ 83.731453][ T2875] walk_component+0x1f2/0x2a0
[ 83.733426][ T2875] path_lookupat.isra.0+0xc4/0x270
[ 83.735638][ T2875] filename_lookup+0x103/0x250
[ 83.737518][ T2875] ? unuse_pde+0x50/0x50
[ 83.739230][ T2875] ? simple_attr_release+0x20/0x20
[ 83.741365][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 83.746650][ T2875] user_path_at_empty+0x42/0x60
[ 83.748679][ T2875] do_faccessat+0xd5/0x490
[ 83.750698][ T2875] do_syscall_64+0x35/0xb0
[ 83.752750][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.755147][ T2875] RIP: 0033:0x7fbbed4f416b
[ 83.756987][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
[ 83.764201][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
[ 83.767625][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
[ 83.770815][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
[ 83.773982][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.777202][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.780346][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.783686][ T2875] </TASK>
[ 83.785743][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.788711][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.791774][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.795370][ T2875] Call Trace:
[ 83.796779][ T2875] <TASK>
[ 83.798094][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.800045][ T2875] put_net.cold+0x1f/0x24
[ 83.802444][ T2875] proc_tgid_net_lookup+0x4b/0x60
[ 83.804936][ T2875] __lookup_slow+0x146/0x280
[ 83.806890][ T2875] walk_component+0x1f2/0x2a0
[ 83.808840][ T2875] path_lookupat.isra.0+0xc4/0x270
[ 83.810945][ T2875] filename_lookup+0x103/0x250
[ 83.812928][ T2875] ? unuse_pde+0x50/0x50
[ 83.814760][ T2875] ? simple_attr_release+0x20/0x20
[ 83.817416][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 83.819696][ T2875] user_path_at_empty+0x42/0x60
[ 83.822173][ T2875] do_faccessat+0xd5/0x490
[ 83.823958][ T2875] do_syscall_64+0x35/0xb0
[ 83.825808][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.827975][ T2875] RIP: 0033:0x7fbbed4f416b
[ 83.829676][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
[ 83.836926][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
[ 83.840089][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
[ 83.843171][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
[ 83.846444][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.849481][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.852857][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.855888][ T2875] </TASK>
[ 83.857759][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.860508][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.863611][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.867655][ T2875] Call Trace:
[ 83.869162][ T2875] <TASK>
[ 83.870467][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.872611][ T2875] get_net.cold+0x21/0x26
[ 83.874572][ T2875] sk_alloc+0x1ca/0x8a0
[ 83.876337][ T2875] unix_create1+0x81/0x2c0
[ 83.878159][ T2875] unix_create+0x9a/0x130
[ 83.880015][ T2875] __sock_create+0x20e/0x4f0
[ 83.881874][ T2875] __sys_socket+0x6f/0x140
[ 83.883730][ T2875] __x64_sys_socket+0x1a/0x20
[ 83.886127][ T2875] do_syscall_64+0x35/0xb0
[ 83.888040][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.890433][ T2875] RIP: 0033:0x7fbbed5067db
[ 83.892409][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 83.899534][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 83.903158][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed5067db
[ 83.906369][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 83.909364][ T2875] RBP: 0000000000000002 R08: 000000000000000d R09: 0078696e752f7465
[ 83.912373][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
[ 83.915860][ T2875] R13: 00007ffd7a1e64f0 R14: 0000000000000001 R15: 0000000000000000
[ 83.919121][ T2875] </TASK>
[ 83.921478][ T2875] net_namespace: net=ffff888036278000 count=3
[ 83.924516][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 83.927520][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.931006][ T2875] Call Trace:
[ 83.932385][ T2875] <TASK>
[ 83.933651][ T2875] dump_stack_lvl+0xcd/0x134
[ 83.935827][ T2875] put_net.cold+0x1f/0x24
[ 83.937612][ T2875] __sk_destruct+0x1f9/0x3b0
[ 83.939531][ T2875] sk_destruct+0xa6/0xc0
[ 83.941428][ T2875] __sk_free+0x5a/0x1b0
[ 83.943189][ T2875] sk_free+0x6b/0x90
[ 83.944884][ T2875] unix_release_sock+0x4d4/0x6d0
[ 83.946887][ T2875] unix_release+0x2d/0x40
[ 83.948674][ T2875] __sock_release+0x47/0xd0
[ 83.950652][ T2875] ? __sock_release+0xd0/0xd0
[ 83.952626][ T2875] sock_close+0x18/0x20
[ 83.954491][ T2875] __fput+0x117/0x450
[ 83.956241][ T2875] task_work_run+0x75/0xd0
[ 83.958071][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 83.960365][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 83.962612][ T2875] do_syscall_64+0x42/0xb0
[ 83.964521][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.967103][ T2875] RIP: 0033:0x7fbbed4f937b
[ 83.968976][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 83.976315][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 83.979599][ T2875] RAX: 0000000000000000 RBX: 0000000000001802 RCX: 00007fbbed4f937b
[ 83.982751][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 83.985979][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0078696e752f7465
[ 83.989107][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 83.992365][ T2875] R13: 00007ffd7a1e762c R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 83.995633][ T2875] </TASK>
[ 83.998686][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.001243][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.005041][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.008594][ T2875] Call Trace:
[ 84.010029][ T2875] <TASK>
[ 84.011797][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.013820][ T2875] get_net.cold+0x21/0x26
[ 84.016049][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.018006][ T2875] unix_create1+0x81/0x2c0
[ 84.019853][ T2875] unix_create+0x9a/0x130
[ 84.021779][ T2875] __sock_create+0x20e/0x4f0
[ 84.023672][ T2875] __sys_socket+0x6f/0x140
[ 84.025544][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.027473][ T2875] do_syscall_64+0x35/0xb0
[ 84.029310][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.031710][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.033512][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.041069][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.044342][ T2875] RAX: ffffffffffffffda RBX: 000000000000780a RCX: 00007fbbed5067db
[ 84.047336][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 84.050451][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 000055a16963001a
[ 84.053617][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.056885][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.059933][ T2875] </TASK>
[ 84.061977][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.064619][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.067684][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.071207][ T2875] Call Trace:
[ 84.072586][ T2875] <TASK>
[ 84.073835][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.075862][ T2875] put_net.cold+0x1f/0x24
[ 84.077663][ T2875] __sk_destruct+0x1f9/0x3b0
[ 84.079540][ T2875] sk_destruct+0xa6/0xc0
[ 84.081437][ T2875] __sk_free+0x5a/0x1b0
[ 84.085862][ T2875] sk_free+0x6b/0x90
[ 84.087628][ T2875] unix_release_sock+0x4d4/0x6d0
[ 84.089575][ T2875] unix_release+0x2d/0x40
[ 84.091333][ T2875] __sock_release+0x47/0xd0
[ 84.093107][ T2875] ? __sock_release+0xd0/0xd0
[ 84.095003][ T2875] sock_close+0x18/0x20
[ 84.096801][ T2875] __fput+0x117/0x450
[ 84.098375][ T2875] task_work_run+0x75/0xd0
[ 84.100983][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 84.103425][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 84.105626][ T2875] do_syscall_64+0x42/0xb0
[ 84.107471][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.109773][ T2875] RIP: 0033:0x7fbbed4f937b
[ 84.111613][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 84.118931][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 84.122539][ T2875] RAX: 0000000000000000 RBX: 000000000000780a RCX: 00007fbbed4f937b
[ 84.125766][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 84.129038][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 000055a16963001a
[ 84.132217][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.135522][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.138787][ T2875] </TASK>
[ 84.141378][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.143692][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.146720][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.150247][ T2875] Call Trace:
[ 84.151721][ T2875] <TASK>
[ 84.153004][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.154955][ T2875] get_net.cold+0x21/0x26
[ 84.156772][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.158541][ T2875] unix_create1+0x81/0x2c0
[ 84.160417][ T2875] unix_create+0x9a/0x130
[ 84.162226][ T2875] __sock_create+0x20e/0x4f0
[ 84.164112][ T2875] __sys_socket+0x6f/0x140
[ 84.166350][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.168367][ T2875] do_syscall_64+0x35/0xb0
[ 84.170319][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.172755][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.174630][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.181843][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.185360][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 84.188587][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
[ 84.191962][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0000000000000000
[ 84.195151][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.198247][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.201606][ T2875] </TASK>
[ 84.203465][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.206040][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.209034][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.212497][ T2875] Call Trace:
[ 84.213878][ T2875] <TASK>
[ 84.215443][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.217370][ T2875] put_net.cold+0x1f/0x24
[ 84.219202][ T2875] __sk_destruct+0x1f9/0x3b0
[ 84.221245][ T2875] sk_destruct+0xa6/0xc0
[ 84.223004][ T2875] __sk_free+0x5a/0x1b0
[ 84.224776][ T2875] sk_free+0x6b/0x90
[ 84.226342][ T2875] unix_release_sock+0x4d4/0x6d0
[ 84.228268][ T2875] unix_release+0x2d/0x40
[ 84.230137][ T2875] __sock_release+0x47/0xd0
[ 84.231923][ T2875] ? __sock_release+0xd0/0xd0
[ 84.233765][ T2875] sock_close+0x18/0x20
[ 84.236000][ T2875] __fput+0x117/0x450
[ 84.237704][ T2875] task_work_run+0x75/0xd0
[ 84.239496][ T2875] exit_to_user_mode_prepare+0x273/0x280
[ 84.242142][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 84.244474][ T2875] do_syscall_64+0x42/0xb0
[ 84.246441][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.248704][ T2875] RIP: 0033:0x7fbbed4f937b
[ 84.250500][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
[ 84.257987][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 84.261471][ T2875] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fbbed4f937b
[ 84.264691][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
[ 84.267780][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0000000000000000
[ 84.271032][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
[ 84.274208][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.277498][ T2875] </TASK>
[ 84.287045][ T2875] net_namespace: net=ffff888036278000 count=3
[ 84.289271][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.292514][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.296133][ T2875] Call Trace:
[ 84.297568][ T2875] <TASK>
[ 84.298859][ T2875] dump_stack_lvl+0xcd/0x134
[ 84.300918][ T2875] get_net.cold+0x21/0x26
[ 84.302637][ T2875] sk_alloc+0x1ca/0x8a0
[ 84.304653][ T2875] inet_create+0x21e/0x7e0
[ 84.306778][ T2875] __sock_create+0x20e/0x4f0
[ 84.308690][ T2875] __sys_socket+0x6f/0x140
[ 84.310513][ T2875] __x64_sys_socket+0x1a/0x20
[ 84.312659][ T2875] do_syscall_64+0x35/0xb0
[ 84.314573][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.316905][ T2875] RIP: 0033:0x7fbbed5067db
[ 84.318820][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
[ 84.325864][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
[ 84.329133][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
[ 84.332546][ T2875] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
[ 84.336076][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
[ 84.339372][ T2875] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.342502][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.345680][ T2875] </TASK>
[ 84.353592][ C0] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.358423][ C0] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=3
[ 84.363617][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.366717][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.370399][ C0] Call Trace:
[ 84.371855][ C0] <IRQ>
[ 84.373042][ C0] dump_stack_lvl+0xcd/0x134
[ 84.374866][ C0] sock_net+0x118/0x160
[ 84.376672][ C0] inet_ehash_insert+0x98/0x490
[ 84.378737][ C0] inet_csk_reqsk_queue_hash_add+0x5b/0x80
[ 84.381582][ C0] tcp_conn_request+0x1082/0x14a0
[ 84.383746][ C0] ? tcp_v4_conn_request+0x6c/0x120
[ 84.386019][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.388249][ C0] tcp_v4_conn_request+0x6c/0x120
[ 84.390356][ C0] tcp_v6_conn_request+0x157/0x1d0
[ 84.392458][ C0] tcp_rcv_state_process+0x443/0x1f20
[ 84.394725][ C0] ? tcp_v4_do_rcv+0x1b5/0x600
[ 84.396681][ C0] tcp_v4_do_rcv+0x1b5/0x600
[ 84.398620][ C0] tcp_v4_rcv+0x1bad/0x1de0
[ 84.400791][ C0] ip_protocol_deliver_rcu+0x52/0x630
[ 84.403773][ C0] ip_local_deliver_finish+0xb4/0x1d0
[ 84.406060][ C0] ip_local_deliver+0xa7/0x320
[ 84.408075][ C0] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.410374][ C0] ip_rcv_finish+0x108/0x170
[ 84.412225][ C0] ip_rcv+0x69/0x2f0
[ 84.413859][ C0] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.416510][ C0] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.418949][ C0] __netif_receive_skb+0x24/0xa0
[ 84.421102][ C0] process_backlog+0x11d/0x320
[ 84.422978][ C0] __napi_poll+0x3d/0x3e0
[ 84.424808][ C0] net_rx_action+0x34e/0x480
[ 84.426713][ C0] __do_softirq+0xde/0x539
[ 84.428458][ C0] ? ip_finish_output2+0x401/0x1060
[ 84.430566][ C0] do_softirq+0xb1/0xf0
[ 84.432611][ C0] </IRQ>
[ 84.433909][ C0] <TASK>
[ 84.435285][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 84.437418][ C0] ip_finish_output2+0x42f/0x1060
[ 84.439382][ C0] ? __ip_finish_output+0x471/0x840
[ 84.443928][ C0] __ip_finish_output+0x471/0x840
[ 84.445988][ C0] ? write_comp_data+0x1c/0x70
[ 84.448014][ C0] ip_finish_output+0x32/0x140
[ 84.449946][ C0] ip_output+0xb2/0x3b0
[ 84.451881][ C0] ? __ip_finish_output+0x840/0x840
[ 84.453979][ C0] ip_local_out+0x6e/0xd0
[ 84.455733][ C0] __ip_queue_xmit+0x306/0x950
[ 84.457580][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.459761][ C0] ? sock_net+0x11d/0x160
[ 84.461577][ C0] __tcp_transmit_skb+0x845/0x1380
[ 84.463573][ C0] tcp_connect+0xb02/0x1c80
[ 84.465713][ C0] ? preempt_schedule_common+0x32/0x80
[ 84.468040][ C0] tcp_v4_connect+0x72c/0x820
[ 84.470357][ C0] __inet_stream_connect+0x157/0x630
[ 84.473029][ C0] ? kmem_cache_alloc_trace+0x556/0x690
[ 84.475392][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.477659][ C0] tcp_sendmsg_locked+0xf16/0x1440
[ 84.479765][ C0] ? __local_bh_enable_ip+0x72/0xd0
[ 84.481880][ C0] tcp_sendmsg+0x2b/0x40
[ 84.483651][ C0] inet_sendmsg+0x45/0x70
[ 84.485640][ C0] ? inet_send_prepare+0x2e0/0x2e0
[ 84.487807][ C0] ____sys_sendmsg+0x390/0x3e0
[ 84.489794][ C0] ? debug_object_activate+0x193/0x210
[ 84.491915][ C0] ___sys_sendmsg+0x97/0xe0
[ 84.493713][ C0] ? __lock_acquire+0x3b2/0x3160
[ 84.495653][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.497772][ C0] ? __fget_light+0x99/0xe0
[ 84.499582][ C0] __sys_sendmsg+0x88/0x100
[ 84.501976][ C0] do_syscall_64+0x35/0xb0
[ 84.503841][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.506292][ C0] RIP: 0033:0x7fbbed5ec0f7
[ 84.508154][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 84.515353][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 84.518867][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 84.522178][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 84.525355][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
[ 84.528392][ C0] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.531766][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.535012][ C0] </TASK>
[ 84.554710][ C0] net_namespace: net=ffff888036278000 count=3
[ 84.557308][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.560308][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.563719][ C0] Call Trace:
[ 84.565561][ C0] <IRQ>
[ 84.566936][ C0] dump_stack_lvl+0xcd/0x134
[ 84.569111][ C0] put_net.cold+0x1f/0x24
[ 84.571071][ C0] __sk_destruct+0x1f9/0x3b0
[ 84.572995][ C0] sk_destruct+0xa6/0xc0
[ 84.574855][ C0] __sk_free+0x5a/0x1b0
[ 84.576633][ C0] sk_free+0x6b/0x90
[ 84.578324][ C0] deferred_put_nlk_sk+0xb7/0x150
[ 84.580383][ C0] rcu_core+0x37d/0xa00
[ 84.582144][ C0] ? rcu_core+0x31e/0xa00
[ 84.583970][ C0] __do_softirq+0xde/0x539
[ 84.586435][ C0] ? tcp_sendmsg+0x1d/0x40
[ 84.588290][ C0] do_softirq+0xb1/0xf0
[ 84.590022][ C0] </IRQ>
[ 84.591451][ C0] <TASK>
[ 84.592751][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 84.594866][ C0] tcp_sendmsg+0x1d/0x40
[ 84.596737][ C0] inet_sendmsg+0x45/0x70
[ 84.598573][ C0] ? inet_send_prepare+0x2e0/0x2e0
[ 84.600679][ C0] ____sys_sendmsg+0x390/0x3e0
[ 84.602707][ C0] ___sys_sendmsg+0x97/0xe0
[ 84.604712][ C0] ? __lock_acquire+0x3b2/0x3160
[ 84.607154][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.609429][ C0] ? __fget_light+0x99/0xe0
[ 84.611412][ C0] __sys_sendmsg+0x88/0x100
[ 84.613325][ C0] do_syscall_64+0x35/0xb0
[ 84.615297][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.617704][ C0] RIP: 0033:0x7fbbed5ec0f7
[ 84.619846][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 84.627115][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 84.630656][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 84.633812][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 84.638113][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.641422][ C0] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 84.644856][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.648113][ C0] </TASK>
[ 84.745096][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.749028][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
[ 84.754738][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.757944][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.761531][ C2] Call Trace:
[ 84.762930][ C2] <IRQ>
[ 84.764209][ C2] dump_stack_lvl+0xcd/0x134
[ 84.766204][ C2] sock_net+0x118/0x160
[ 84.768239][ C2] __inet_lookup_established+0x127/0x360
[ 84.770835][ C2] tcp_v4_rcv+0xbae/0x1de0
[ 84.772780][ C2] ip_protocol_deliver_rcu+0x52/0x630
[ 84.775163][ C2] ip_local_deliver_finish+0xb4/0x1d0
[ 84.777395][ C2] ip_local_deliver+0xa7/0x320
[ 84.779347][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.781711][ C2] ip_rcv_finish+0x108/0x170
[ 84.783656][ C2] ip_rcv+0x69/0x2f0
[ 84.785609][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.787945][ C2] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.790338][ C2] __netif_receive_skb+0x24/0xa0
[ 84.792346][ C2] process_backlog+0x11d/0x320
[ 84.794431][ C2] __napi_poll+0x3d/0x3e0
[ 84.796592][ C2] net_rx_action+0x34e/0x480
[ 84.798469][ C2] __do_softirq+0xde/0x539
[ 84.800514][ C2] ? sock_setsockopt+0x103/0x19f0
[ 84.803153][ C2] do_softirq+0xb1/0xf0
[ 84.805116][ C2] </IRQ>
[ 84.806534][ C2] <TASK>
[ 84.807900][ C2] __local_bh_enable_ip+0xbf/0xd0
[ 84.810002][ C2] sock_setsockopt+0x103/0x19f0
[ 84.812178][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.814535][ C2] __sys_setsockopt+0x2d1/0x330
[ 84.816496][ C2] __x64_sys_setsockopt+0x22/0x30
[ 84.818633][ C2] do_syscall_64+0x35/0xb0
[ 84.820620][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.823211][ C2] RIP: 0033:0x7fbbed50677e
[ 84.825098][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 84.832280][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 84.835905][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
[ 84.839164][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 84.842605][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.845893][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
[ 84.849091][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.852527][ C2] </TASK>
[ 84.854068][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
[ 84.858121][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
[ 84.863384][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 84.866705][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.870581][ C2] Call Trace:
[ 84.872201][ C2] <IRQ>
[ 84.873449][ C2] dump_stack_lvl+0xcd/0x134
[ 84.875838][ C2] sock_net+0x118/0x160
[ 84.877670][ C2] __inet_lookup_established+0x24f/0x360
[ 84.880054][ C2] tcp_v4_rcv+0xbae/0x1de0
[ 84.881976][ C2] ip_protocol_deliver_rcu+0x52/0x630
[ 84.884083][ C2] ip_local_deliver_finish+0xb4/0x1d0
[ 84.886449][ C2] ip_local_deliver+0xa7/0x320
[ 84.888449][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
[ 84.890881][ C2] ip_rcv_finish+0x108/0x170
[ 84.893022][ C2] ip_rcv+0x69/0x2f0
[ 84.894792][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 84.897049][ C2] __netif_receive_skb_one_core+0x6a/0xa0
[ 84.899296][ C2] __netif_receive_skb+0x24/0xa0
[ 84.901420][ C2] process_backlog+0x11d/0x320
[ 84.903470][ C2] __napi_poll+0x3d/0x3e0
[ 84.905410][ C2] net_rx_action+0x34e/0x480
[ 84.907399][ C2] __do_softirq+0xde/0x539
[ 84.909259][ C2] ? sock_setsockopt+0x103/0x19f0
[ 84.914100][ C2] do_softirq+0xb1/0xf0
[ 84.915946][ C2] </IRQ>
[ 84.917252][ C2] <TASK>
[ 84.918598][ C2] __local_bh_enable_ip+0xbf/0xd0
[ 84.920777][ C2] sock_setsockopt+0x103/0x19f0
[ 84.922691][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.924959][ C2] __sys_setsockopt+0x2d1/0x330
[ 84.926866][ C2] __x64_sys_setsockopt+0x22/0x30
[ 84.928837][ C2] do_syscall_64+0x35/0xb0
[ 84.930807][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.933016][ C2] RIP: 0033:0x7fbbed50677e
[ 84.934935][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 84.942206][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 84.945740][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
[ 84.948952][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 84.952352][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 84.955693][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
[ 84.958899][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 84.962649][ C2] </TASK>
[ 87.351519][ T2875] net_namespace: net=ffff888036278000 count=2
[ 87.354530][ T2875] CPU: 1 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
[ 87.357551][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 87.361185][ T2875] Call Trace:
[ 87.362550][ T2875] <TASK>
[ 87.363891][ T2875] dump_stack_lvl+0xcd/0x134
[ 87.365794][ T2875] put_net.cold+0x1f/0x24
[ 87.367655][ T2875] free_nsproxy+0x1fe/0x2c0
[ 87.369737][ T2875] switch_task_namespaces+0x83/0x90
[ 87.372158][ T2875] do_exit+0x566/0x13d0
[ 87.374030][ T2875] ? find_held_lock+0x2b/0x80
[ 87.376164][ T2875] ? get_signal+0x1ef/0x16b0
[ 87.378079][ T2875] do_group_exit+0x51/0x100
[ 87.379966][ T2875] get_signal+0x257/0x16b0
[ 87.382106][ T2875] arch_do_signal_or_restart+0xeb/0x7f0
[ 87.384334][ T2875] exit_to_user_mode_prepare+0x189/0x280
[ 87.386547][ T2875] syscall_exit_to_user_mode+0x19/0x60
[ 87.388895][ T2875] do_syscall_64+0x42/0xb0
[ 87.390765][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 87.393095][ T2875] RIP: 0033:0x7fbbed5ec0f7
[ 87.395241][ T2875] Code: Unable to access opcode bytes at RIP 0x7fbbed5ec0cd.
[ 87.398613][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 87.402381][ T2875] RAX: ffffffffffffff96 RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
[ 87.405723][ T2875] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
[ 87.409023][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
[ 87.412238][ T2875] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
[ 87.415477][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
[ 87.418590][ T2875] </TASK>
[ 87.427287][ T2875] a.out (2875) used greatest stack depth: 11320 bytes left
[ 234.697150][ C0] net_namespace: net=ffff888036278000 count=1
[ 234.710780][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 234.720528][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 234.727887][ C0] Call Trace:
[ 234.730895][ C0] <IRQ>
[ 234.734086][ C0] dump_stack_lvl+0xcd/0x134
[ 234.738276][ C0] put_net.cold+0x1f/0x24
[ 234.742162][ C0] __sk_destruct+0x1f9/0x3b0
[ 234.746326][ C0] sk_destruct+0xa6/0xc0
[ 234.749219][ C0] __sk_free+0x5a/0x1b0
[ 234.751159][ C0] sk_free+0x6b/0x90
[ 234.753239][ C0] tcp_write_timer+0x1ff/0x240
[ 234.755181][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.757290][ C0] call_timer_fn+0xe3/0x4f0
[ 234.759095][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.761341][ C0] run_timer_softirq+0x812/0xac0
[ 234.763337][ C0] __do_softirq+0xde/0x539
[ 234.765104][ C0] irq_exit_rcu+0xb6/0xf0
[ 234.766789][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 234.769139][ C0] </IRQ>
[ 234.770482][ C0] <TASK>
[ 234.771702][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 234.774065][ C0] RIP: 0010:default_idle+0xb/0x10
[ 234.776010][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 234.783374][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 234.785849][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
[ 234.789116][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 234.792254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 234.795720][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 234.798927][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 234.802563][ C0] default_idle_call+0x6a/0x260
[ 234.804592][ C0] do_idle+0x20c/0x260
[ 234.806332][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 234.808693][ C0] cpu_startup_entry+0x14/0x20
[ 234.810686][ C0] start_kernel+0x8f7/0x91e
[ 234.812538][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 234.815399][ C0] </TASK>
[ 234.816785][ C0] net_namespace: Releasing net=ffff888036278000 net->ns.count=0 in_use=0
[ 234.820358][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 234.823664][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 234.827160][ C0] Call Trace:
[ 234.828540][ C0] <IRQ>
[ 234.829812][ C0] dump_stack_lvl+0xcd/0x134
[ 234.831775][ C0] __put_net+0xc8/0x130
[ 234.834723][ C0] put_net+0x7d/0xb0
[ 234.836516][ C0] __sk_destruct+0x1f9/0x3b0
[ 234.838546][ C0] sk_destruct+0xa6/0xc0
[ 234.840453][ C0] __sk_free+0x5a/0x1b0
[ 234.842217][ C0] sk_free+0x6b/0x90
[ 234.844007][ C0] tcp_write_timer+0x1ff/0x240
[ 234.845938][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.848146][ C0] call_timer_fn+0xe3/0x4f0
[ 234.850145][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 234.852503][ C0] run_timer_softirq+0x812/0xac0
[ 234.855025][ C0] __do_softirq+0xde/0x539
[ 234.856908][ C0] irq_exit_rcu+0xb6/0xf0
[ 234.858712][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 234.860980][ C0] </IRQ>
[ 234.862279][ C0] <TASK>
[ 234.863598][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 234.865966][ C0] RIP: 0010:default_idle+0xb/0x10
[ 234.868109][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 234.875407][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 234.877869][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
[ 234.881349][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 234.885150][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 234.888442][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 234.891831][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 234.895041][ C0] default_idle_call+0x6a/0x260
[ 234.897019][ C0] do_idle+0x20c/0x260
[ 234.898782][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 234.901456][ C0] cpu_startup_entry+0x14/0x20
[ 234.903364][ C0] start_kernel+0x8f7/0x91e
[ 234.905180][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 234.907426][ C0] </TASK>
[ 234.909661][ C0] INFO: About to destroy net=ffff888036278000 sk=ffff888036058b80
[ 234.913082][ C0] sk->sk_family=2 sk->sk_prot_creator->name=TCP sk->sk_state=7 sk->sk_flags=0x301 net->ns.count=0
[ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
[ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
[ 260.317639][ C0] ------------[ cut here ]------------
[ 260.323152][ C0] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:461 tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.334901][ C0] Modules linked in:
[ 260.338356][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 260.342593][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 260.346821][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.349704][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 260.359054][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 260.362281][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
[ 260.365646][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 260.368691][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
[ 260.371828][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 260.375009][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
[ 260.378533][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 260.382408][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 260.385155][ C0] CR2: 00007fbbed4c8dc0 CR3: 000000000d765000 CR4: 00000000000506f0
[ 260.388406][ C0] Call Trace:
[ 260.389929][ C0] <IRQ>
[ 260.391386][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 260.393743][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 260.396147][ C0] ? ktime_get+0x2d3/0x400
[ 260.398064][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 260.400357][ C0] tcp_write_timer+0x19c/0x240
[ 260.402389][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.405068][ C0] call_timer_fn+0xe3/0x4f0
[ 260.407041][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.409308][ C0] run_timer_softirq+0x812/0xac0
[ 260.411613][ C0] __do_softirq+0xde/0x539
[ 260.413646][ C0] irq_exit_rcu+0xb6/0xf0
[ 260.415607][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 260.417882][ C0] </IRQ>
[ 260.419276][ C0] <TASK>
[ 260.420672][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 260.423039][ C0] RIP: 0010:default_idle+0xb/0x10
[ 260.425291][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 260.433105][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
[ 260.435589][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 260.438759][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 260.441945][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 260.445777][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 260.449093][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 260.452404][ C0] default_idle_call+0x6a/0x260
[ 260.454562][ C0] do_idle+0x20c/0x260
[ 260.456353][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 260.458887][ C0] cpu_startup_entry+0x14/0x20
[ 260.461152][ C0] start_kernel+0x8f7/0x91e
[ 260.463226][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 260.465718][ C0] </TASK>
[ 260.467111][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 260.469664][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
[ 260.472684][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 260.476355][ C0] Call Trace:
[ 260.477800][ C0] <IRQ>
[ 260.479141][ C0] dump_stack_lvl+0xcd/0x134
[ 260.481197][ C0] panic+0x1d0/0x537
[ 260.482913][ C0] ? __warn.cold+0xb0/0x228
[ 260.484892][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.487190][ C0] __warn.cold+0xc6/0x228
[ 260.488963][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.491241][ C0] report_bug+0x188/0x1d0
[ 260.493109][ C0] handle_bug+0x3c/0x60
[ 260.495107][ C0] exc_invalid_op+0x14/0x70
[ 260.497016][ C0] asm_exc_invalid_op+0x12/0x20
[ 260.499037][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 260.501651][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 260.508760][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 260.511211][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
[ 260.514559][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 260.517942][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
[ 260.521127][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 260.524366][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
[ 260.528260][ C0] ? vprintk+0x88/0x90
[ 260.530145][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 260.532452][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 260.535072][ C0] ? ktime_get+0x2d3/0x400
[ 260.536958][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 260.539214][ C0] tcp_write_timer+0x19c/0x240
[ 260.541237][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.543627][ C0] call_timer_fn+0xe3/0x4f0
[ 260.545677][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 260.547973][ C0] run_timer_softirq+0x812/0xac0
[ 260.550053][ C0] __do_softirq+0xde/0x539
[ 260.551937][ C0] irq_exit_rcu+0xb6/0xf0
[ 260.553767][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 260.556439][ C0] </IRQ>
[ 260.557744][ C0] <TASK>
[ 260.559051][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 260.561515][ C0] RIP: 0010:default_idle+0xb/0x10
[ 260.563619][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 260.570866][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
[ 260.573255][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 260.577004][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 260.580254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 260.583366][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 260.586553][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 260.589759][ C0] default_idle_call+0x6a/0x260
[ 260.591774][ C0] do_idle+0x20c/0x260
[ 260.593618][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 260.596736][ C0] cpu_startup_entry+0x14/0x20
[ 260.598736][ C0] start_kernel+0x8f7/0x91e
[ 260.600659][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 260.603066][ C0] </TASK>
[ 260.605294][ C0] Kernel Offset: disabled
[ 260.607310][ C0] Rebooting in 10 seconds..
------------------------------------------------------------
Would you check where this PF_INET6 socket is created at and whether
this PF_INET6 socket is taking a reference to the net namespace?
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 8:19 ` Tetsuo Handa
@ 2022-04-09 16:46 ` Eric Dumazet
2022-04-09 17:47 ` Eric Dumazet
2022-04-22 14:40 ` Tetsuo Handa
1 sibling, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2022-04-09 16:46 UTC (permalink / raw)
To: Tetsuo Handa
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On Sat, Apr 9, 2022 at 1:19 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> Hello, bpf developers.
>
> syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).
>
> ------------------------------------------------------------
> [ 702.730585][ C1] ==================================================================
> [ 702.743543][ C1] BUG: KASAN: use-after-free in tcp_retransmit_timer+0x6c0/0x1ba0
> [ 702.754301][ C1] Read of size 8 at addr ffff88801eed82b8 by task swapper/1/0
> [ 702.765301][ C1]
> [ 702.768527][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0 #710
> [ 702.778323][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 702.790444][ C1] Call Trace:
> [ 702.794903][ C1] <IRQ>
> [ 702.798753][ C1] dump_stack_lvl+0xcd/0x134
> [ 702.804962][ C1] print_address_description.constprop.0.cold+0x93/0x35d
> [ 702.809861][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 702.813344][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 702.817099][ C1] kasan_report.cold+0x83/0xdf
> [ 702.820010][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 702.823666][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
> [ 702.827159][ C1] ? tcp_mstamp_refresh+0xf/0x60
> [ 702.830448][ C1] ? tcp_delack_timer+0x290/0x290
> [ 702.833410][ C1] ? mark_held_locks+0x65/0x90
> [ 702.836790][ C1] ? ktime_get+0x365/0x420
> [ 702.839893][ C1] ? lockdep_hardirqs_on+0x79/0x100
> [ 702.843144][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 702.846621][ C1] ? ktime_get+0x2e6/0x420
> [ 702.849334][ C1] tcp_write_timer_handler+0x32f/0x5f0
> [ 702.852597][ C1] tcp_write_timer+0x86/0x250
> [ 702.855736][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 702.859211][ C1] call_timer_fn+0x15d/0x5f0
> [ 702.862327][ C1] ? enqueue_timer+0x3b0/0x3b0
> [ 702.865295][ C1] ? lock_downgrade+0x3b0/0x3b0
> [ 702.868462][ C1] ? mark_held_locks+0x24/0x90
> [ 702.871511][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 702.875369][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
> [ 702.878610][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 702.882085][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 702.885866][ C1] run_timer_softirq+0xbdb/0xee0
> [ 702.889127][ C1] ? call_timer_fn+0x5f0/0x5f0
> [ 702.892021][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
> [ 702.895881][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
> [ 702.899151][ C1] __do_softirq+0x117/0x692
> [ 702.901960][ C1] irq_exit_rcu+0xdb/0x110
> [ 702.904885][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
> [ 702.908837][ C1] </IRQ>
> [ 702.910666][ C1] <TASK>
> [ 702.965995][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 703.023333][ C1] RIP: 0010:default_idle+0xb/0x10
> [ 703.076496][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
> [ 703.208123][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
> [ 703.276495][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
> [ 703.344388][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 703.411773][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
> [ 703.477687][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
> [ 703.537679][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
> [ 703.603213][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
> [ 703.667293][ C1] default_idle_call+0xb1/0x330
> [ 703.728393][ C1] do_idle+0x37f/0x430
> [ 703.789414][ C1] ? mark_held_locks+0x24/0x90
> [ 703.852441][ C1] ? arch_cpu_idle_exit+0x30/0x30
> [ 703.915057][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
> [ 703.971934][ C1] ? lockdep_hardirqs_on+0x79/0x100
> [ 704.033376][ C1] ? preempt_count_sub+0xf/0xb0
> [ 704.095999][ C1] cpu_startup_entry+0x14/0x20
> [ 704.153464][ C1] start_secondary+0x1b7/0x220
> [ 704.216128][ C1] ? set_cpu_sibling_map+0x1010/0x1010
> [ 704.292706][ C1] secondary_startup_64_no_verify+0xc3/0xcb
> [ 704.357456][ C1] </TASK>
> [ 704.420920][ C1]
> [ 704.483318][ C1] Allocated by task 4577:
> [ 704.546652][ C1] kasan_save_stack+0x1e/0x40
> [ 704.610435][ C1] __kasan_slab_alloc+0x90/0xc0
> [ 704.671983][ C1] kmem_cache_alloc+0x1d7/0x760
> [ 704.734249][ C1] copy_net_ns+0xaf/0x4a0
> [ 704.795405][ C1] create_new_namespaces.isra.0+0x254/0x660
> [ 704.858394][ C1] unshare_nsproxy_namespaces+0xb2/0x160
> [ 704.920500][ C1] ksys_unshare+0x372/0x780
> [ 704.983267][ C1] __x64_sys_unshare+0x1b/0x20
> [ 705.046194][ C1] do_syscall_64+0x35/0xb0
> [ 705.107899][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 705.169680][ C1]
> [ 705.231276][ C1] Freed by task 8:
> [ 705.294349][ C1] kasan_save_stack+0x1e/0x40
> [ 705.359217][ C1] kasan_set_track+0x21/0x30
> [ 705.422445][ C1] kasan_set_free_info+0x20/0x30
> [ 705.481590][ C1] __kasan_slab_free+0x11a/0x160
> [ 705.544098][ C1] kmem_cache_free+0xe6/0x6a0
> [ 705.605324][ C1] net_free+0x89/0xb0
> [ 705.666356][ C1] cleanup_net+0x64a/0x730
> [ 705.728952][ C1] process_one_work+0x65c/0xda0
> [ 705.792462][ C1] worker_thread+0x7f/0x760
> [ 705.858871][ C1] kthread+0x1c6/0x210
> [ 705.920770][ C1] ret_from_fork+0x1f/0x30
> [ 705.978623][ C1]
> [ 706.038487][ C1] The buggy address belongs to the object at ffff88801eed8000
> [ 706.038487][ C1] which belongs to the cache net_namespace of size 6528
> [ 706.161551][ C1] The buggy address is located 696 bytes inside of
> [ 706.161551][ C1] 6528-byte region [ffff88801eed8000, ffff88801eed9980)
> [ 706.272381][ C1] The buggy address belongs to the page:
> [ 706.334149][ C1] page:ffffea00007bb600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eed8
> [ 706.400096][ C1] head:ffffea00007bb600 order:3 compound_mapcount:0 compound_pincount:0
> [ 706.460895][ C1] memcg:ffff88801921b441
> [ 706.519144][ C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
> [ 706.585321][ C1] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888100024500
> [ 706.652434][ C1] raw: 0000000000000000 0000000080040004 00000001ffffffff ffff88801921b441
> [ 706.717358][ C1] page dumped because: kasan: bad access detected
> [ 706.783699][ C1] page_owner tracks the page as allocated
> [ 706.844889][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4577, ts 538093730950, free_ts 446175252650
> [ 706.984997][ C1] prep_new_page+0x134/0x170
> [ 707.056009][ C1] get_page_from_freelist+0x16c7/0x2510
> [ 707.130614][ C1] __alloc_pages+0x29a/0x580
> [ 707.204976][ C1] alloc_pages+0xda/0x1a0
> [ 707.278364][ C1] new_slab+0x29e/0x3a0
> [ 707.350591][ C1] ___slab_alloc+0xb66/0xf60
> [ 707.416827][ C1] __slab_alloc.isra.0+0x4d/0xa0
> [ 707.487734][ C1] kmem_cache_alloc+0x635/0x760
> [ 707.560973][ C1] copy_net_ns+0xaf/0x4a0
> [ 707.631583][ C1] create_new_namespaces.isra.0+0x254/0x660
> [ 707.704556][ C1] unshare_nsproxy_namespaces+0xb2/0x160
> [ 707.778185][ C1] ksys_unshare+0x372/0x780
> [ 707.853990][ C1] __x64_sys_unshare+0x1b/0x20
> [ 707.927571][ C1] do_syscall_64+0x35/0xb0
> [ 707.999337][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 708.073634][ C1] page last free stack trace:
> [ 708.145935][ C1] free_pcp_prepare+0x325/0x650
> [ 708.219254][ C1] free_unref_page+0x19/0x360
> [ 708.290288][ C1] __unfreeze_partials+0x320/0x340
> [ 708.359731][ C1] qlist_free_all+0x6d/0x160
> [ 708.431552][ C1] kasan_quarantine_reduce+0x13d/0x180
> [ 708.505070][ C1] __kasan_slab_alloc+0xa2/0xc0
> [ 708.577128][ C1] kmem_cache_alloc+0x1d7/0x760
> [ 708.649556][ C1] vm_area_alloc+0x1c/0xa0
> [ 708.725996][ C1] mmap_region+0x64f/0xc40
> [ 708.786537][ C1] do_mmap+0x66b/0xa40
> [ 708.861188][ C1] vm_mmap_pgoff+0x1aa/0x270
> [ 708.921977][ C1] ksys_mmap_pgoff+0x357/0x410
> [ 708.998067][ C1] do_syscall_64+0x35/0xb0
> [ 709.072158][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 709.142294][ C1]
> [ 709.210670][ C1] Memory state around the buggy address:
> [ 709.286139][ C1] ffff88801eed8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 709.363031][ C1] ffff88801eed8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 709.429425][ C1] >ffff88801eed8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 709.496217][ C1] ^
> [ 709.560374][ C1] ffff88801eed8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 709.634175][ C1] ffff88801eed8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 709.701217][ C1] ==================================================================
> [ 709.767019][ C1] Disabling lock debugging due to kernel taint
> [ 709.831133][ C1] Kernel panic - not syncing: panic_on_warn set ...
> [ 709.890180][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.17.0 #710
> [ 709.958293][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 710.031328][ C1] Call Trace:
> [ 710.096636][ C1] <IRQ>
> [ 710.165649][ C1] dump_stack_lvl+0xcd/0x134
> [ 710.232724][ C1] panic+0x263/0x5fa
> [ 710.300396][ C1] ? __warn_printk+0xf3/0xf3
> [ 710.362683][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 710.425386][ C1] ? preempt_count_sub+0xf/0xb0
> [ 710.487806][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 710.550567][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 710.612008][ C1] end_report.cold+0x63/0x6f
> [ 710.671465][ C1] kasan_report.cold+0x71/0xdf
> [ 710.731242][ C1] ? tcp_retransmit_timer+0x6c0/0x1ba0
> [ 710.792468][ C1] tcp_retransmit_timer+0x6c0/0x1ba0
> [ 710.850296][ C1] ? tcp_mstamp_refresh+0xf/0x60
> [ 710.911655][ C1] ? tcp_delack_timer+0x290/0x290
> [ 710.972588][ C1] ? mark_held_locks+0x65/0x90
> [ 711.033775][ C1] ? ktime_get+0x365/0x420
> [ 711.091494][ C1] ? lockdep_hardirqs_on+0x79/0x100
> [ 711.153223][ C1] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 711.210432][ C1] ? ktime_get+0x2e6/0x420
> [ 711.269857][ C1] tcp_write_timer_handler+0x32f/0x5f0
> [ 711.331006][ C1] tcp_write_timer+0x86/0x250
> [ 711.391916][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 711.452155][ C1] call_timer_fn+0x15d/0x5f0
> [ 711.517305][ C1] ? enqueue_timer+0x3b0/0x3b0
> [ 711.580906][ C1] ? lock_downgrade+0x3b0/0x3b0
> [ 711.642255][ C1] ? mark_held_locks+0x24/0x90
> [ 711.703500][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 711.766484][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
> [ 711.828625][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 711.889862][ C1] ? tcp_write_timer_handler+0x5f0/0x5f0
> [ 711.952756][ C1] run_timer_softirq+0xbdb/0xee0
> [ 712.014027][ C1] ? call_timer_fn+0x5f0/0x5f0
> [ 712.063350][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
> [ 712.125673][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
> [ 712.183626][ C1] __do_softirq+0x117/0x692
> [ 712.245067][ C1] irq_exit_rcu+0xdb/0x110
> [ 712.294611][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
> [ 712.363854][ C1] </IRQ>
> [ 712.426802][ C1] <TASK>
> [ 712.482854][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 712.542428][ C1] RIP: 0010:default_idle+0xb/0x10
> [ 712.577029][ C1] Code: 04 25 28 00 00 00 75 0f 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 f3 08 fe ff cc cc cc eb 07 0f 00 2d a7 45 50 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
> [ 712.703886][ C1] RSP: 0018:ffffc90000757de0 EFLAGS: 00000202
> [ 712.763854][ C1] RAX: 000000000008c3e3 RBX: 0000000000000001 RCX: ffffffff86145f10
> [ 712.829677][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 712.893652][ C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed102338758b
> [ 712.956344][ C1] R10: ffff888119c3ac53 R11: ffffed102338758a R12: 0000000000000001
> [ 713.020195][ C1] R13: ffffffff8a539e50 R14: 0000000000000000 R15: ffff8881003e0000
> [ 713.083426][ C1] ? rcu_eqs_enter.constprop.0+0xb0/0x100
> [ 713.144632][ C1] default_idle_call+0xb1/0x330
> [ 713.207385][ C1] do_idle+0x37f/0x430
> [ 713.269538][ C1] ? mark_held_locks+0x24/0x90
> [ 713.332700][ C1] ? arch_cpu_idle_exit+0x30/0x30
> [ 713.396223][ C1] ? _raw_spin_unlock_irqrestore+0x50/0x70
> [ 713.460909][ C1] ? lockdep_hardirqs_on+0x79/0x100
> [ 713.527012][ C1] ? preempt_count_sub+0xf/0xb0
> [ 713.594736][ C1] cpu_startup_entry+0x14/0x20
> [ 713.662751][ C1] start_secondary+0x1b7/0x220
> [ 713.718784][ C1] ? set_cpu_sibling_map+0x1010/0x1010
> [ 713.785338][ C1] secondary_startup_64_no_verify+0xc3/0xcb
> [ 713.851417][ C1] </TASK>
> [ 713.916633][ C1] Kernel Offset: disabled
> [ 713.981646][ C1] Rebooting in 10 seconds..
> ------------------------------------------------------------
>
> I managed to convert https://syzkaller.appspot.com/text?tag=ReproC&x=14fcccedb00000
> into a single threaded simple reproducer shown below.
>
> ------------------------------------------------------------
> // https://syzkaller.appspot.com/bug?id=8f0e04b2beffcd42f044d46879cc224f6eb71a99
> // autogenerated by syzkaller (https://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
>
> #include <arpa/inet.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <net/if.h>
> #include <pthread.h>
> #include <stdbool.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/ioctl.h>
> #include <sys/socket.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
> #include <linux/bpf.h>
> #include <linux/if_ether.h>
> #include <linux/netlink.h>
> #include <linux/rtnetlink.h>
>
> #ifndef MSG_PROBE
> #define MSG_PROBE 0x10
> #endif
>
> struct nlmsg {
> char* pos;
> int nesting;
> struct nlattr* nested[8];
> char buf[4096];
> };
>
> static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
> const void* data, int size)
> {
> memset(nlmsg, 0, sizeof(*nlmsg));
> struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
> hdr->nlmsg_type = typ;
> hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
> memcpy(hdr + 1, data, size);
> nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
> }
>
> static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
> int size)
> {
> struct nlattr* attr = (struct nlattr*)nlmsg->pos;
> attr->nla_len = sizeof(*attr) + size;
> attr->nla_type = typ;
> if (size > 0)
> memcpy(attr + 1, data, size);
> nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
> }
>
> static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
> int* reply_len, bool dofail)
> {
> if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
> exit(1);
> struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
> hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
> struct sockaddr_nl addr;
> memset(&addr, 0, sizeof(addr));
> addr.nl_family = AF_NETLINK;
> ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
> (struct sockaddr*)&addr, sizeof(addr));
> if (n != (ssize_t)hdr->nlmsg_len) {
> if (dofail)
> exit(1);
> return -1;
> }
> n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
> if (reply_len)
> *reply_len = 0;
> if (n < 0) {
> if (dofail)
> exit(1);
> return -1;
> }
> if (n < (ssize_t)sizeof(struct nlmsghdr)) {
> errno = EINVAL;
> if (dofail)
> exit(1);
> return -1;
> }
> if (hdr->nlmsg_type == NLMSG_DONE)
> return 0;
> if (reply_len && hdr->nlmsg_type == reply_type) {
> *reply_len = n;
> return 0;
> }
> if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
> errno = EINVAL;
> if (dofail)
> exit(1);
> return -1;
> }
> if (hdr->nlmsg_type != NLMSG_ERROR) {
> errno = EINVAL;
> if (dofail)
> exit(1);
> return -1;
> }
> errno = -((struct nlmsgerr*)(hdr + 1))->error;
> return -errno;
> }
>
> static int netlink_send(struct nlmsg* nlmsg, int sock)
> {
> return netlink_send_ext(nlmsg, sock, 0, NULL, true);
> }
>
> static void netlink_device_change(int sock, const char* name, const void* mac, int macsize)
> {
> struct nlmsg nlmsg;
> struct ifinfomsg hdr;
> memset(&hdr, 0, sizeof(hdr));
> hdr.ifi_flags = hdr.ifi_change = IFF_UP;
> hdr.ifi_index = if_nametoindex(name);
> netlink_init(&nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
> netlink_attr(&nlmsg, IFLA_ADDRESS, mac, macsize);
> netlink_send(&nlmsg, sock);
> }
>
> static void netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize)
> {
> struct nlmsg nlmsg;
> struct ifaddrmsg hdr;
> memset(&hdr, 0, sizeof(hdr));
> hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
> hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
> hdr.ifa_scope = RT_SCOPE_UNIVERSE;
> hdr.ifa_index = if_nametoindex(dev);
> netlink_init(&nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
> sizeof(hdr));
> netlink_attr(&nlmsg, IFA_LOCAL, addr, addrsize);
> netlink_attr(&nlmsg, IFA_ADDRESS, addr, addrsize);
> netlink_send(&nlmsg, sock);
> }
>
> static void netlink_add_addr4(int sock, const char* dev, const char* addr)
> {
> struct in_addr in_addr;
> inet_pton(AF_INET, addr, &in_addr);
> netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
> }
>
> static void netlink_add_addr6(int sock, const char* dev, const char* addr)
> {
> struct in6_addr in6_addr;
> inet_pton(AF_INET6, addr, &in6_addr);
> netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
> }
>
> static void initialize_netdevices(void)
> {
> int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
> uint64_t macaddr = 0x00aaaaaaaaaa;
> if (fd == EOF)
> exit(1);
> netlink_add_addr4(fd, "lo", "172.20.20.10");
> netlink_add_addr6(fd, "lo", "fe80::0a");
> netlink_device_change(fd, "lo", &macaddr, ETH_ALEN);
> close(fd);
> }
>
> #ifndef __NR_bpf
> #define __NR_bpf 321
> #endif
>
> static const char program[2053] =
> "\xbf\x16\x00\x00\x00\x00\x00\x00\xb7\x07\x00\x00\x01\x00\xf0\xff\x50\x70"
> "\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\xc0\x00\x95\x00\x00\x00"
> "\x00\x00\x00\x00\x2b\xa7\x28\x04\x15\x98\xd6\xfb\xd3\x0c\xb5\x99\xe8\x3d"
> "\x24\xbd\x81\x37\xa3\xaa\x81\xe0\xed\x13\x9a\x85\xd3\x6b\xb3\x01\x9c\x13"
> "\xbd\x23\x21\xaf\x3c\xf1\xa5\x4f\x26\xfb\xbf\x22\x0b\x71\xd0\xe6\xad\xfe"
> "\xfc\xf1\xd8\xf7\xfa\xf7\x5e\x0f\x22\x6b\xd9\x17\x48\x79\x60\x71\x71\x42"
> "\xfa\x9e\xa4\x31\x81\x23\x75\x1c\x0a\x0e\x16\x8c\x18\x86\xd0\xd4\xd3\x53"
> "\x79\xbd\x22\x3e\xc8\x39\xbc\x16\xee\x98\x8e\x6e\x0d\xc8\xce\xdf\x3c\xeb"
> "\x9f\xbf\xbf\x9b\x0a\x4d\xef\x23\xd4\x30\xf6\x09\x6b\x32\xa8\x34\x38\x81"
> "\x07\x20\xa1\x59\xcd\xa9\x03\x63\xdb\x3d\x22\x1e\x15\x2d\xdc\xa6\x40\x57"
> "\xff\x3c\x47\x44\xae\xac\xcd\x36\x41\x11\x0b\xec\x4e\x90\x27\xa0\xc8\x05"
> "\x5b\xbf\xc3\xa9\x6d\x2e\x89\x10\xc2\xc3\x9e\x4b\xab\xe8\x02\xf5\xab\x3e"
> "\x89\xcf\x6c\x66\x2e\xd4\x04\x8d\x3b\x3e\x22\x27\x8d\x00\x03\x1e\x53\x88"
> "\xee\x5c\x6e\xce\x1c\xcb\x0c\xd2\xb6\xd3\xcf\xfd\x96\x9d\x18\xce\x74\x00"
> "\x68\x72\x5c\x37\x07\x4e\x46\x8e\xe2\x07\xd2\xf7\x39\x02\xea\xcf\xcf\x49"
> "\x82\x27\x75\x98\x5b\xf3\x1b\x71\x5f\x58\x88\xb2\xfd\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x60\xdb\xe7\x1c\xce\xee\x10\x00"
> "\x00\xdd\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\xdd\xff\xff\xff"
> "\x00\x00\xb2\x7c\xf3\xd1\x84\x8a\x54\xd7\x13\x2b\xe1\xff\xb0\xad\xf9\xde"
> "\xab\x33\x23\xaa\x9f\xdf\xb5\x2f\xaf\x9c\xb0\x9c\x3b\xfd\x09\x00\x00\x00"
> "\xb9\x1a\xb2\x19\xef\xde\xbb\x7b\x3d\xe8\xf6\x75\x81\xcf\x79\x6a\xad\x42"
> "\x23\xb9\xff\x7f\xfc\xad\x3f\x6c\x96\x2b\x9f\x03\x00\x00\x00\x00\x00\x00"
> "\x00\x1c\xf4\x1a\xb1\x1f\x12\xfb\x1e\x0a\x49\x40\x34\x00\x7d\xe7\xc6\x59"
> "\x2d\xf1\xa6\xc6\x4d\x8f\x20\xa6\x77\x45\x40\x9e\x01\x1f\x12\x64\xd4\x3f"
> "\x15\x3b\x3d\x34\x89\x9f\x40\x15\x9e\x80\x0e\xa2\x47\x4b\x54\x05\x00\xa3"
> "\x0b\x23\xbc\xee\x46\x76\x2c\x20\x93\xbc\xc9\xea\xe5\xee\x3e\x98\x00\x26"
> "\xc9\x6f\x80\xee\x1a\x74\xe0\x4b\xde\x74\x07\x50\xfa\x4d\x9a\xaa\x70\x59"
> "\x89\xb8\xe6\x73\xe3\x29\x6e\x52\xd3\x37\xc5\x6a\xbf\x11\x28\x74\xec\x51"
> "\xd6\xfe\x04\x8b\xa6\x86\x6a\xde\xba\xb5\x31\x68\x77\x0a\x71\xad\x90\x1a"
> "\xce\x38\x3e\x41\xd2\x77\xb1\x03\x92\x3a\x9d\x97\x1f\x7a\x25\x91\xdb\xe4"
> "\xa9\x12\xff\xaf\x6f\x65\x8f\x3f\x9c\xd1\x62\x86\x74\x4f\x83\xa8\x3f\x13"
> "\x8f\x8f\x92\xef\xd9\x22\x39\xea\xfc\xe5\xc1\xb3\xf9\x7a\x29\x7c\x9e\x49"
> "\xa0\xc3\x30\x0e\xf7\xb7\xfb\x5f\x09\xe0\xc8\xa8\x68\xa3\x53\x40\x9e\x34"
> "\xd3\xe8\x22\x79\x63\x75\x99\xf3\x5a\xd3\xf7\xff\xff\xff\x3c\xac\x39\x4c"
> "\x7b\xbd\xcd\x0e\x0e\xb5\x21\x89\x2c\x0f\x32\x01\x5b\xf4\xf2\x26\xa4\xe7"
> "\x0f\x03\xcc\x41\x46\xa7\x7a\xf0\x2c\x1d\x4c\xef\xd4\xa2\xb9\x4c\x0a\xed"
> "\x84\x77\xdf\xa8\xce\xef\xb4\x67\xf0\x5c\x69\x77\xc7\x8c\xdb\xf3\x77\x04"
> "\xec\x73\x75\x55\x39\x2a\x0b\x06\x4b\xda\xba\x71\xf8\x97\x14\x49\x10\xfe"
> "\x05\x00\x38\xec\x9e\x47\xde\x89\x29\x8b\x7b\xf4\xd7\x69\xcc\xc1\x8e\xed"
> "\xe0\x06\x8c\xa1\x45\x78\x70\xeb\x30\xd2\x11\xe2\x3c\xcc\x8e\x06\xdd\xde"
> "\xb6\x17\x99\x25\x7a\xb5\x5f\xf4\x13\xc8\x6b\xa9\xaf\xfb\x12\xec\x75\x7c"
> "\x72\x34\xc2\x70\x24\x6c\x87\x8d\x01\x16\x0e\x6c\x07\xbf\x6c\xf8\x80\x9c"
> "\x3a\x0d\x06\x23\x57\xba\x25\x15\x56\x72\x30\xad\x1e\x1f\x49\x33\x54\x5f"
> "\xc3\xc7\x41\x37\x36\x11\x66\x3f\x6b\x63\xb1\xdd\x04\x4d\xd0\xa2\x76\x8e"
> "\x82\x59\x72\xea\x3b\x77\x64\x14\x67\xc8\x9f\xa0\xf8\x2e\x84\x40\x10\x50"
> "\x51\xe5\x51\x0a\x33\xdc\xda\x5e\x4e\x20\x2b\xd6\x22\x54\x9c\x4c\xff\x3f"
> "\x5e\x50\x1d\x3a\x5d\xd7\x14\x3f\xbf\x22\x1f\xff\x16\x1c\x12\xca\x38\x95"
> "\xa3\x00\x00\x00\x00\x00\x00\x0f\xff\x75\x06\x7d\x2a\x21\x4f\x8c\x9d\x9b"
> "\x2e\xcf\x63\x01\x6c\x5f\xd9\xc2\x6a\x54\xd4\x3f\xa0\x50\xb8\x8d\x1d\x43"
> "\xa8\x64\x5b\xd9\x76\x9b\x7e\x07\x86\x9b\xba\x71\x31\x42\x1c\x0f\x39\x11"
> "\x3b\xe7\x66\x4e\x08\xbd\xd7\x11\x5c\x61\xaf\xcb\x71\x8c\xf3\xc4\x68\x0b"
> "\x2f\x6c\x7a\x84\x00\xe3\x78\xa9\xb1\x5b\xc2\x0f\x49\xe2\x98\x72\x73\x40"
> "\xe8\x7c\xde\xfb\x40\xe5\x6e\x9c\xfa\xd9\x73\x34\x7d\x0d\xe7\xba\x47\x54"
> "\xff\x23\x1a\x1b\x93\x3d\x8f\x93\x1b\x8c\x55\x2b\x2c\x7c\x50\x3f\x3d\x0e"
> "\x7a\xb0\xe9\x58\xad\xb8\x62\x82\x2e\x40\x00\x99\x95\xae\x16\x6d\xeb\x98"
> "\x56\x29\x1a\x43\xa6\xf7\xeb\x2e\x32\xce\xfb\xf4\x63\x78\x9e\xaf\x79\xb8"
> "\xd4\xc2\xbf\x0f\x7a\x2c\xb0\x32\xda\xd1\x30\x07\xb8\x2e\x60\xdb\xe9\x86"
> "\x4a\x11\x7d\x27\x32\x68\x50\xa7\xc3\xb5\x70\x86\x3f\x53\x2c\x21\x8b\x10"
> "\xaf\x13\xd7\xbe\x94\x98\x70\x05\x08\x8a\x83\x88\x0c\xca\xb9\xc9\x92\x0c"
> "\x2d\x2a\xf8\xc5\xe1\x3d\x52\xc8\x3a\xc3\xfa\x7c\x3a\xe6\xc0\x83\x84\x86"
> "\x5b\x66\xd2\xb4\xdc\xb5\xdd\x9c\xba\x16\xb6\x20\x40\xbf\x87\x02\xae\x12"
> "\xc7\x7e\x6e\x34\x99\x1a\xf6\x03\xe3\x85\x6a\x34\x6c\xf7\xf9\xfe\xeb\x70"
> "\x88\xae\xda\x89\x0c\xf8\xa4\xa6\xf3\x1b\xa6\xd9\xb8\xcb\x09\x8f\x93\x5b"
> "\xdc\xbb\x29\xfd\x0f\x1a\x34\x2c\x01\x00\x00\x00\x00\x00\x00\x00\x48\xa9"
> "\xde\xa0\x00\x00\x3a\x85\x67\xa7\x59\x2b\x33\x40\x6f\x1f\x71\xc7\x39\xb5"
> "\x5d\xb9\x1d\x23\x09\xdc\x7a\xe4\x01\x00\x5f\x52\x05\x3a\x39\xe7\x30\x7c"
> "\x09\xff\x3a\xc3\xe8\x20\xb0\x1c\x57\xdd\x74\xd4\xaa\xfc\x4c\x38\x3a\x17"
> "\xbc\x1d\xe5\x34\x7b\xb7\x1c\xa1\x6d\xcb\xbb\xaa\x29\x35\xf6\x02\x32\x59"
> "\x84\x38\x6b\x21\xb9\x64\x92\xae\x66\x20\x82\xb5\x6c\xf6\x66\xe6\x3a\x75"
> "\x7c\x0e\xf3\xea\x7a\xf6\x88\x15\x13\xbe\x94\xb3\x66\xe1\x5f\xfc\xa8\xec"
> "\x45\x3b\x3a\x2a\x67\xbe\xdc\xa1\xc7\x66\x95\x22\xe8\xdf\xf8\xbc\x57\x0a"
> "\x93\xfb\xdb\x68\x8c\x3a\xef\xd4\x75\x01\x27\x7a\x6e\xa6\xb1\x11\x63\x39"
> "\x2a\x19\xd8\x79\x95\xb5\x1c\x96\xfe\xbd\x5f\x24\xa3\x49\x98\xd2\x01\x0f"
> "\xd5\xfa\xcf\x68\xc4\xf8\x4e\x2f\x66\xe2\x7c\x81\xa1\x49\xd7\xb3\x31\x98"
> "\x3d\x3b\x74\x44\x49\x53\xfc\x12\x16\xdf\xec\x10\xb7\x24\xbe\x37\x33\xc2"
> "\x6f\x12\x53\x83\x76\xe1\x77\xff\xef\x6f\xd2\x60\x3b\xfa\xb9\x68\x31\x95"
> "\x7a\x08\xe4\x91\x9a\x46\x3d\x53\x32\xa2\x54\x60\x32\xa3\xc0\x6b\x94\xf1"
> "\x68\xe8\xfc\x4b\xda\x0c\x29\x47\x23\xfe\x30\x6f\x26\xc4\x77\xaf\x4b\x92"
> "\x66\x44\x67\x29\x85\xfa\xb7\xcc\x67\xbc\x5b\x5f\x5d\x38\xcd\xd8\xdf\x95"
> "\x14\x7e\xbe\x1c\xd8\x8b\x0a\x2f\xbb\xde\x99\x51\xbe\x42\x82\x7d\xfd\xdf"
> "\xef\xb2\x38\xfa\xc2\x30\x3c\xc8\x98\x2f\x1e\x55\xb0\x05\xaf\xcf\xea\x5e"
> "\xb0\x37\x24\x8f\xef\xad\x6b\xb0\x2c\x16\x2c\xe9\x2a\xb1\x27\x13\x52\x2b"
> "\x97\x50\x6c\x26\x77\x44\xc8\xec\x3d\x2e\x80\xcf\x32\x05\xd3\x66\x99\xfd"
> "\x38\x1b\xc8\x12\x31\xfb\x5e\x12\xe4\x5f\x30\x59\xf3\x61\xd0\x8d\x6a\x6d"
> "\x01\xdd\x79\xca\x9b\xfb\x4e\x06\x25\x94\x27\xb0\x29\x44\x7a\x3e\xd7\x0a"
> "\x2b\x70\xbe\x52\x1e\xa2\x7d\xc8\xcf\x3c\x9b\xdf\x83\xb9\x34\x05\xdb\x07"
> "\xe8\x2e\x2d\xdf\x4c\x4d\x26\xf1\xcd\xd8\xc3\xc9\x73\x6c\xf5\xe5\x08\x6d"
> "\xe3\xb4\x84\xf8\x67\x3e\x0e\x97\xdd\x7e\x8a\x87\x21\x48\x61\x3c\x3a\xea"
> "\xf2\xd6\x7f\x43\x75\xba\x5c\x7f\x1b\x00\x33\xf8\xdf\xe0\x1d\x9c\xb2\xa7"
> "\x08\x01\xf7\x63\x52\x4e\x1d\x79\xd8\x12\xce\xd7\x82\x64\x6b\x5f\x79\xc8"
> "\xfc\x08\xbb\x5c\x11\x02\x01\x08\xd7\x02\xed\xd2\xea\x9c\x96\xcf\xcb\x90"
> "\x66\x66\x86\x27\x82\x0d\x2d\x48\xaa\x5f\xc0\xa7\xbf\x1b\x51\xaf\xd8\x53"
> "\x50\xad\x00\xb7\x8c\x59\x8f\xa8\x70\x1b\x40\x08\x84\xde\x79\x0b\x54\xe5"
> "\xab\x2e\x8f\xf0\xc7\xae\x23\xe0\xb6\xee\xac\x95\xc4\xc2\xee\xf2\xe5\xeb"
> "\x1d\x01\x9d\x52\x09\x9f\xbd\x40\x4e\x8e\xce\x97\x0f\x67\x73\x6b\xa7\xe9"
> "\x60\xbd\x8b\x1e\x41\x05\xce\x7e\x31\xf7\xc9\xc3\xe3\xfa\x61\xaa\xb9\x67"
> "\x56\x5e\x04\x00\x00\x00\x00\x00\x00\x00\xa8\xcf\xda\x89\x0a\x98\xb9\x00"
> "\x87\xe9\x1d\x70\x3e\x98\x53\x5b\x10\x7b\x8f\x46\x53\xbe\x4c\x46\xa3\xa1"
> "\xad\xb0\x7d\x22\x69\x52\xb8\x57\x3b\x41\x70\x18\x31\x6f\xa9\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x41\x22\xc8\x63\x70\x9b\x08\xd4\x63\x9a\x2c\xa4\x6a"
> "\xc9\x0a\xc4\x29\x13\xee\x9b\xca\xa8\x75\xfc\x70\x0b\xa3\x67\xca\x31\x82"
> "\x10\x59\x60\xbe\xf3\x37\x8a\x98\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x25\x03\x18\xa4\x4a\xae\xbd\xe8\x49"
> "\x58\x0d\x86\xd1\xaf\xb0\x2a\x49\x6c\x35\xca\x95\x0d\x60\xa3\xd9\x7f\x23"
> "\xac\x37\xf8\x80\xdd\xc3\xb1\x7b\x12\x09\xb0\x03\xc3\x33\x4b\x1c\xc0\xdb"
> "\x48\x3e\x24\x43\x69\x5f\xc9\x5e\xbb\x83\x20\xc9\xad\xee\x62\x94\x51\x4c"
> "\x2c\xa4\x2a\x10\x48\x28\x6d\x70\xd6\x29\x8c\xe1\x4d\x03\x1d\x04\x7b\x08"
> "\x0a\x76\x8b\x9d\xc3\x0e\x64\x40\xa1\x03\x0a\xcf\x39\x13\xa5\x78\x65\xa2"
> "\x77\xce\x60\xe4\x2c\xe3\xb6\xb4\x3b\x4e\x18\xd5\xb5\x3f\xa1\x9f\x94\x69"
> "\x01\x59\x04\xc7\xbb\xde\xf5\xd8\x90\x1f\xff\x46\x14\x77\xe0\x06\xa7\xaa"
> "\x3f\x5e\xb4\x80\x09\x82\xcb\x62\x93\x5c\x26\x49\x00\xd9\xb2\xeb\xf2\x7c"
> "\xd9\x99\x3f\xce\x0b\x10\x71\xd0\x51\x69\xf3\x38\x60\x91\xcf\xc4\x7d\xe1"
> "\x09\xf9\x73\x47\x43\x4b\x79\x06\x40\x76\xe2\xb6\xea\x28\xd6\x9e\xbb\x75"
> "\x0d";
>
> static const char license[4] = "GPL";
>
> static void execute_one(void)
> {
> const union bpf_attr attr = {
> .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
> .insn_cnt = 5,
> .insns = (unsigned long long) program,
> .license = (unsigned long long) license,
> };
> struct sockaddr_in addr = {
> .sin_family = AF_INET,
> .sin_port = htons(0x4001),
> .sin_addr.s_addr = inet_addr("172.20.20.180")
> };
> const struct msghdr msg = {
> .msg_name = &addr,
> .msg_namelen = sizeof(addr),
> };
> const int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, 72);
> const int sock_fd = socket(PF_INET, SOCK_STREAM, 0);
> alarm(3);
> while (1) {
> sendmsg(sock_fd, &msg, MSG_OOB | MSG_PROBE | MSG_CONFIRM | MSG_FASTOPEN);
> setsockopt(sock_fd, SOL_SOCKET, SO_ATTACH_BPF, &bpf_fd, sizeof(bpf_fd));
> }
> }
>
> int main(int argc, char *argv[])
> {
> if (unshare(CLONE_NEWNET))
> return 1;
> initialize_netdevices();
> execute_one();
> return 0;
> }
> ------------------------------------------------------------
>
> I don't know what this bpf program is doing, but I suspect that this bpf
> program somehow involves PF_INET6 socket without taking a reference to
> the net namespace which this bpf program runs.
>
> Below is debug printk() patch for 5.17 which I used for tracing.
>
> ------------------------------------------------------------
> diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
> index 5b61c462e534..a2fd96da8e21 100644
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -178,6 +178,7 @@ struct net {
> #if IS_ENABLED(CONFIG_SMC)
> struct netns_smc smc;
> #endif
> + struct list_head struct_net_users;
> } __randomize_layout;
>
> #include <linux/seq_file_net.h>
> @@ -243,41 +244,16 @@ void ipx_unregister_sysctl(void);
> void __put_net(struct net *net);
>
> /* Try using get_net_track() instead */
> -static inline struct net *get_net(struct net *net)
> -{
> - refcount_inc(&net->ns.count);
> - return net;
> -}
> +extern struct net *get_net(struct net *net);
>
> -static inline struct net *maybe_get_net(struct net *net)
> -{
> - /* Used when we know struct net exists but we
> - * aren't guaranteed a previous reference count
> - * exists. If the reference count is zero this
> - * function fails and returns NULL.
> - */
> - if (!refcount_inc_not_zero(&net->ns.count))
> - net = NULL;
> - return net;
> -}
> +extern struct net *maybe_get_net(struct net *net);
>
> /* Try using put_net_track() instead */
> -static inline void put_net(struct net *net)
> -{
> - if (refcount_dec_and_test(&net->ns.count))
> - __put_net(net);
> -}
> +extern void put_net(struct net *net);
>
> -static inline
> -int net_eq(const struct net *net1, const struct net *net2)
> -{
> - return net1 == net2;
> -}
> +extern int net_eq(const struct net *net1, const struct net *net2);
>
> -static inline int check_net(const struct net *net)
> -{
> - return refcount_read(&net->ns.count) != 0;
> -}
> +extern int check_net(const struct net *net);
>
> void net_drop_ns(void *);
>
> diff --git a/include/net/request_sock.h b/include/net/request_sock.h
> index 29e41ff3ec93..df89ff3dfa41 100644
> --- a/include/net/request_sock.h
> +++ b/include/net/request_sock.h
> @@ -118,7 +118,7 @@ static inline void __reqsk_free(struct request_sock *req)
> if (req->rsk_listener)
> sock_put(req->rsk_listener);
> kfree(req->saved_syn);
> - kmem_cache_free(req->rsk_ops->slab, req);
> + //kmem_cache_free(req->rsk_ops->slab, req);
> }
>
> static inline void reqsk_free(struct request_sock *req)
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 50aecd28b355..d2f386f9aa73 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -540,6 +540,7 @@ struct sock {
> #endif
> struct rcu_head sk_rcu;
> netns_tracker ns_tracker;
> + struct list_head struct_net_user;
> };
>
> enum sk_pacing {
> @@ -2704,17 +2705,10 @@ static inline void sk_eat_skb(struct sock *sk, struct sk_buff *skb)
> __kfree_skb(skb);
> }
>
> -static inline
> -struct net *sock_net(const struct sock *sk)
> -{
> - return read_pnet(&sk->sk_net);
> -}
> -
> -static inline
> -void sock_net_set(struct sock *sk, struct net *net)
> -{
> - write_pnet(&sk->sk_net, net);
> -}
> +extern struct net *sock_net(const struct sock *sk);
> +extern void sock_net_set(struct sock *sk, struct net *net);
> +extern void sock_net_start_tracking(struct sock *sk, struct net *net);
> +extern void sock_net_end_tracking(struct sock *sk);
>
> static inline bool
> skb_sk_is_prefetched(struct sk_buff *skb)
> diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
> index a5b5bb99c644..cf4e8b224654 100644
> --- a/net/core/net_namespace.c
> +++ b/net/core/net_namespace.c
> @@ -26,6 +26,8 @@
> #include <net/net_namespace.h>
> #include <net/netns/generic.h>
>
> +DEFINE_SPINLOCK(net_users_lock);
> +
> /*
> * Our network namespace constructor/destructor lists
> */
> @@ -50,6 +52,7 @@ struct net init_net = {
> #ifdef CONFIG_KEYS
> .key_domain = &init_net_key_domain,
> #endif
> + .struct_net_users = LIST_HEAD_INIT(init_net.struct_net_users),
> };
> EXPORT_SYMBOL(init_net);
>
> @@ -406,6 +409,7 @@ static struct net *net_alloc(void)
> net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
> if (!net)
> goto out_free;
> + INIT_LIST_HEAD(&net->struct_net_users);
>
> #ifdef CONFIG_KEYS
> net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL);
> @@ -432,7 +436,7 @@ static void net_free(struct net *net)
> {
> if (refcount_dec_and_test(&net->passive)) {
> kfree(rcu_access_pointer(net->gen));
> - kmem_cache_free(net_cachep, net);
> + //kmem_cache_free(net_cachep, net);
> }
> }
>
> @@ -637,8 +641,46 @@ EXPORT_SYMBOL(net_ns_barrier);
>
> static DECLARE_WORK(net_cleanup_work, cleanup_net);
>
> +struct to_be_destroyed_net {
> + struct list_head list;
> + struct net *net;
> +};
> +
> +static LIST_HEAD(to_be_destroyed_net_list);
> +static DEFINE_SPINLOCK(to_be_destroyed_net_list_lock);
> +
> +bool is_to_be_destroyed_net(struct net *net)
> +{
> + unsigned long flags;
> + struct to_be_destroyed_net *entry;
> + bool found = false;
> +
> + spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
> + list_for_each_entry(entry, &to_be_destroyed_net_list, list) {
> + if (entry->net == net) {
> + found = true;
> + break;
> + }
> + }
> + spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
> + return found;
> +}
> +EXPORT_SYMBOL(is_to_be_destroyed_net);
> +
> void __put_net(struct net *net)
> {
> + struct to_be_destroyed_net *entry = kzalloc(sizeof(*entry), GFP_ATOMIC | __GFP_NOWARN);
> + unsigned long flags;
> +
> + if (entry) {
> + entry->net = net;
> + spin_lock_irqsave(&to_be_destroyed_net_list_lock, flags);
> + list_add_tail(&entry->list, &to_be_destroyed_net_list);
> + spin_unlock_irqrestore(&to_be_destroyed_net_list_lock, flags);
> + }
> + pr_info("Releasing net=%px net->ns.count=%d in_use=%d\n",
> + net, refcount_read(&net->ns.count), sock_inuse_get(net));
> + dump_stack();
> ref_tracker_dir_exit(&net->refcnt_tracker);
> /* Cleanup the network namespace in process context */
> if (llist_add(&net->cleanup_list, &cleanup_list))
> @@ -1382,4 +1424,113 @@ const struct proc_ns_operations netns_operations = {
> .install = netns_install,
> .owner = netns_owner,
> };
> +
> +struct net *get_net(struct net *net)
> +{
> + refcount_inc(&net->ns.count);
> + if (net != &init_net) {
> + pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
> + dump_stack();
> + }
> + return net;
> +}
> +EXPORT_SYMBOL(get_net);
> +
> +struct net *maybe_get_net(struct net *net)
> +{
> + /* Used when we know struct net exists but we
> + * aren't guaranteed a previous reference count
> + * exists. If the reference count is zero this
> + * function fails and returns NULL.
> + */
> + if (!refcount_inc_not_zero(&net->ns.count))
> + net = NULL;
> + else if (net != &init_net) {
> + pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
> + dump_stack();
> + }
> + return net;
> +}
> +EXPORT_SYMBOL(maybe_get_net);
> +
> +void put_net(struct net *net)
> +{
> + if (net != &init_net) {
> + pr_info("net=%px count=%d\n", net, refcount_read(&net->ns.count));
> + dump_stack();
> + }
> + if (refcount_dec_and_test(&net->ns.count))
> + __put_net(net);
> +}
> +EXPORT_SYMBOL(put_net);
> +
> +int net_eq(const struct net *net1, const struct net *net2)
> +{
> + return net1 == net2;
> +}
> +EXPORT_SYMBOL(net_eq);
> +
> +int check_net(const struct net *net)
> +{
> + return refcount_read(&net->ns.count) != 0;
> +}
> +EXPORT_SYMBOL(check_net);
> +
> +void sock_net_start_tracking(struct sock *sk, struct net *net)
> +{
> + unsigned long flags;
> +
> + if (net == &init_net)
> + return;
> + spin_lock_irqsave(&net_users_lock, flags);
> + list_add_tail(&sk->struct_net_user, &net->struct_net_users);
> + spin_unlock_irqrestore(&net_users_lock, flags);
> +}
> +
> +void sock_net_end_tracking(struct sock *sk)
> +{
> + unsigned long flags;
> +
> + spin_lock_irqsave(&net_users_lock, flags);
> + list_del(&sk->struct_net_user);
> + spin_unlock_irqrestore(&net_users_lock, flags);
> +}
> +
> +struct net *sock_net(const struct sock *sk)
> +{
> + struct net *net = read_pnet(&sk->sk_net);
> + unsigned long flags;
> + bool found = false;
> + struct sock *s;
> +
> + if (net == &init_net)
> + return net;
> + spin_lock_irqsave(&net_users_lock, flags);
> + BUG_ON(!net->struct_net_users.next);
> + BUG_ON(!net->struct_net_users.prev);
> + list_for_each_entry(s, &net->struct_net_users, struct_net_user) {
> + BUG_ON(!s->struct_net_user.next);
> + BUG_ON(!s->struct_net_user.prev);
> + if (s == sk) {
> + found = true;
> + break;
> + }
> + }
> + spin_unlock_irqrestore(&net_users_lock, flags);
> + if (!found) {
> + pr_info("sock=%px is accessing untracked net=%px\n", sk, net);
> + pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
> + sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
> + dump_stack();
> + }
> + return net;
> +}
> +EXPORT_SYMBOL(sock_net);
> +
> +void sock_net_set(struct sock *sk, struct net *net)
> +{
> + write_pnet(&sk->sk_net, net);
> +}
> +EXPORT_SYMBOL(sock_net_set);
> +
> #endif
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 6eb174805bf0..3c303117e3bb 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1904,6 +1904,7 @@ static void sock_copy(struct sock *nsk, const struct sock *osk)
> nsk->sk_security = sptr;
> security_sk_clone(osk, nsk);
> #endif
> + sock_net_start_tracking(nsk, read_pnet(&nsk->sk_net));
> }
>
> static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
> @@ -1953,10 +1954,12 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
> cgroup_sk_free(&sk->sk_cgrp_data);
> mem_cgroup_sk_free(sk);
> security_sk_free(sk);
> + /*
> if (slab != NULL)
> kmem_cache_free(slab, sk);
> else
> kfree(sk);
> + */
> module_put(owner);
> }
>
> @@ -1989,6 +1992,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
> sock_inuse_add(net, 1);
> }
>
> + sock_net_start_tracking(sk, net);
> sock_net_set(sk, net);
> refcount_set(&sk->sk_wmem_alloc, 1);
>
> diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
> index 20cf4a98c69d..412bee1dc9cb 100644
> --- a/net/ipv4/tcp_timer.c
> +++ b/net/ipv4/tcp_timer.c
> @@ -433,6 +433,7 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req)
> TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX);
> }
>
> +extern bool is_to_be_destroyed_net(struct net *net);
>
> /**
> * tcp_retransmit_timer() - The TCP retransmit timeout handler
> @@ -453,6 +454,13 @@ void tcp_retransmit_timer(struct sock *sk)
> struct request_sock *req;
> struct sk_buff *skb;
>
> + if (is_to_be_destroyed_net(net)) {
> + pr_info("BUG: Trying to access destroyed net=%px sk=%px\n", net, sk);
> + pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
> + sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
> + WARN_ON(1);
> + }
> +
> req = rcu_dereference_protected(tp->fastopen_rsk,
> lockdep_sock_is_held(sk));
> if (req) {
> @@ -636,6 +644,7 @@ static void tcp_write_timer(struct timer_list *t)
> struct inet_connection_sock *icsk =
> from_timer(icsk, t, icsk_retransmit_timer);
> struct sock *sk = &icsk->icsk_inet.sk;
> + struct net *net = sock_net(sk);
>
> bh_lock_sock(sk);
> if (!sock_owned_by_user(sk)) {
> @@ -647,6 +656,11 @@ static void tcp_write_timer(struct timer_list *t)
> }
> bh_unlock_sock(sk);
> sock_put(sk);
> + if (is_to_be_destroyed_net(net)) {
> + pr_info("INFO: About to destroy net=%px sk=%px\n", net, sk);
> + pr_info("sk->sk_family=%d sk->sk_prot_creator->name=%s sk->sk_state=%d sk->sk_flags=0x%lx net->ns.count=%d\n",
> + sk->sk_family, sk->sk_prot_creator->name, sk->sk_state, sk->sk_flags, refcount_read(&net->ns.count));
> + }
> }
>
> void tcp_syn_ack_timeout(const struct request_sock *req)
> ------------------------------------------------------------
>
> And below is console output with this printk() patch.
>
> ------------------------------------------------------------
> [ 83.642910][ T2875] net_namespace: net=ffff888036278000 count=2
> [ 83.645415][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 83.648311][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 83.651893][ T2875] Call Trace:
> [ 83.653239][ T2875] <TASK>
> [ 83.654540][ T2875] dump_stack_lvl+0xcd/0x134
> [ 83.656428][ T2875] get_net.cold+0x21/0x26
> [ 83.658194][ T2875] sk_alloc+0x1ca/0x8a0
> [ 83.659979][ T2875] __netlink_create+0x44/0x160
> [ 83.662246][ T2875] netlink_create+0x210/0x310
> [ 83.664146][ T2875] ? do_set_master+0x100/0x100
> [ 83.666538][ T2875] __sock_create+0x20e/0x4f0
> [ 83.668648][ T2875] __sys_socket+0x6f/0x140
> [ 83.670597][ T2875] __x64_sys_socket+0x1a/0x20
> [ 83.672385][ T2875] do_syscall_64+0x35/0xb0
> [ 83.674069][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 83.676201][ T2875] RIP: 0033:0x7fbbed5067db
> [ 83.677873][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
> [ 83.685279][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> [ 83.688515][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
> [ 83.691782][ T2875] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010
> [ 83.694835][ T2875] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fbbed617d50
> [ 83.697960][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 000055a16962f410
> [ 83.701245][ T2875] R13: 00007ffd7a1e7810 R14: 0000000000000000 R15: 0000000000000000
> [ 83.704951][ T2875] </TASK>
> [ 83.708603][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 83.712187][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 83.715235][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 83.718777][ T2875] Call Trace:
> [ 83.720083][ T2875] <TASK>
> [ 83.721401][ T2875] dump_stack_lvl+0xcd/0x134
> [ 83.723313][ T2875] get_net.cold+0x21/0x26
> [ 83.725388][ T2875] get_proc_task_net+0x99/0x1c0
> [ 83.727321][ T2875] proc_tgid_net_lookup+0x21/0x60
> [ 83.729327][ T2875] __lookup_slow+0x146/0x280
> [ 83.731453][ T2875] walk_component+0x1f2/0x2a0
> [ 83.733426][ T2875] path_lookupat.isra.0+0xc4/0x270
> [ 83.735638][ T2875] filename_lookup+0x103/0x250
> [ 83.737518][ T2875] ? unuse_pde+0x50/0x50
> [ 83.739230][ T2875] ? simple_attr_release+0x20/0x20
> [ 83.741365][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 83.746650][ T2875] user_path_at_empty+0x42/0x60
> [ 83.748679][ T2875] do_faccessat+0xd5/0x490
> [ 83.750698][ T2875] do_syscall_64+0x35/0xb0
> [ 83.752750][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 83.755147][ T2875] RIP: 0033:0x7fbbed4f416b
> [ 83.756987][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
> [ 83.764201][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
> [ 83.767625][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
> [ 83.770815][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
> [ 83.773982][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
> [ 83.777202][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
> [ 83.780346][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 83.783686][ T2875] </TASK>
> [ 83.785743][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 83.788711][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 83.791774][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 83.795370][ T2875] Call Trace:
> [ 83.796779][ T2875] <TASK>
> [ 83.798094][ T2875] dump_stack_lvl+0xcd/0x134
> [ 83.800045][ T2875] put_net.cold+0x1f/0x24
> [ 83.802444][ T2875] proc_tgid_net_lookup+0x4b/0x60
> [ 83.804936][ T2875] __lookup_slow+0x146/0x280
> [ 83.806890][ T2875] walk_component+0x1f2/0x2a0
> [ 83.808840][ T2875] path_lookupat.isra.0+0xc4/0x270
> [ 83.810945][ T2875] filename_lookup+0x103/0x250
> [ 83.812928][ T2875] ? unuse_pde+0x50/0x50
> [ 83.814760][ T2875] ? simple_attr_release+0x20/0x20
> [ 83.817416][ T2875] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 83.819696][ T2875] user_path_at_empty+0x42/0x60
> [ 83.822173][ T2875] do_faccessat+0xd5/0x490
> [ 83.823958][ T2875] do_syscall_64+0x35/0xb0
> [ 83.825808][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 83.827975][ T2875] RIP: 0033:0x7fbbed4f416b
> [ 83.829676][ T2875] Code: 77 05 c3 0f 1f 40 00 48 8b 15 21 dd 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 f3 0f 1e fa b8 15 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 f1 dc 0d 00 f7 d8
> [ 83.836926][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
> [ 83.840089][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed4f416b
> [ 83.843171][ T2875] RDX: 0000000000000008 RSI: 0000000000000004 RDI: 00007ffd7a1e64f0
> [ 83.846444][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0078696e752f7465
> [ 83.849481][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
> [ 83.852857][ T2875] R13: 00007ffd7a1e64f0 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 83.855888][ T2875] </TASK>
> [ 83.857759][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 83.860508][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 83.863611][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 83.867655][ T2875] Call Trace:
> [ 83.869162][ T2875] <TASK>
> [ 83.870467][ T2875] dump_stack_lvl+0xcd/0x134
> [ 83.872611][ T2875] get_net.cold+0x21/0x26
> [ 83.874572][ T2875] sk_alloc+0x1ca/0x8a0
> [ 83.876337][ T2875] unix_create1+0x81/0x2c0
> [ 83.878159][ T2875] unix_create+0x9a/0x130
> [ 83.880015][ T2875] __sock_create+0x20e/0x4f0
> [ 83.881874][ T2875] __sys_socket+0x6f/0x140
> [ 83.883730][ T2875] __x64_sys_socket+0x1a/0x20
> [ 83.886127][ T2875] do_syscall_64+0x35/0xb0
> [ 83.888040][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 83.890433][ T2875] RIP: 0033:0x7fbbed5067db
> [ 83.892409][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
> [ 83.899534][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> [ 83.903158][ T2875] RAX: ffffffffffffffda RBX: 00007fbbed5985a0 RCX: 00007fbbed5067db
> [ 83.906369][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
> [ 83.909364][ T2875] RBP: 0000000000000002 R08: 000000000000000d R09: 0078696e752f7465
> [ 83.912373][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007fbbed59867c
> [ 83.915860][ T2875] R13: 00007ffd7a1e64f0 R14: 0000000000000001 R15: 0000000000000000
> [ 83.919121][ T2875] </TASK>
> [ 83.921478][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 83.924516][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 83.927520][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 83.931006][ T2875] Call Trace:
> [ 83.932385][ T2875] <TASK>
> [ 83.933651][ T2875] dump_stack_lvl+0xcd/0x134
> [ 83.935827][ T2875] put_net.cold+0x1f/0x24
> [ 83.937612][ T2875] __sk_destruct+0x1f9/0x3b0
> [ 83.939531][ T2875] sk_destruct+0xa6/0xc0
> [ 83.941428][ T2875] __sk_free+0x5a/0x1b0
> [ 83.943189][ T2875] sk_free+0x6b/0x90
> [ 83.944884][ T2875] unix_release_sock+0x4d4/0x6d0
> [ 83.946887][ T2875] unix_release+0x2d/0x40
> [ 83.948674][ T2875] __sock_release+0x47/0xd0
> [ 83.950652][ T2875] ? __sock_release+0xd0/0xd0
> [ 83.952626][ T2875] sock_close+0x18/0x20
> [ 83.954491][ T2875] __fput+0x117/0x450
> [ 83.956241][ T2875] task_work_run+0x75/0xd0
> [ 83.958071][ T2875] exit_to_user_mode_prepare+0x273/0x280
> [ 83.960365][ T2875] syscall_exit_to_user_mode+0x19/0x60
> [ 83.962612][ T2875] do_syscall_64+0x42/0xb0
> [ 83.964521][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 83.967103][ T2875] RIP: 0033:0x7fbbed4f937b
> [ 83.968976][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
> [ 83.976315][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
> [ 83.979599][ T2875] RAX: 0000000000000000 RBX: 0000000000001802 RCX: 00007fbbed4f937b
> [ 83.982751][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
> [ 83.985979][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0078696e752f7465
> [ 83.989107][ T2875] R10: 0000000000000004 R11: 0000000000000246 R12: 00007ffd7a1e6540
> [ 83.992365][ T2875] R13: 00007ffd7a1e762c R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 83.995633][ T2875] </TASK>
> [ 83.998686][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 84.001243][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.005041][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.008594][ T2875] Call Trace:
> [ 84.010029][ T2875] <TASK>
> [ 84.011797][ T2875] dump_stack_lvl+0xcd/0x134
> [ 84.013820][ T2875] get_net.cold+0x21/0x26
> [ 84.016049][ T2875] sk_alloc+0x1ca/0x8a0
> [ 84.018006][ T2875] unix_create1+0x81/0x2c0
> [ 84.019853][ T2875] unix_create+0x9a/0x130
> [ 84.021779][ T2875] __sock_create+0x20e/0x4f0
> [ 84.023672][ T2875] __sys_socket+0x6f/0x140
> [ 84.025544][ T2875] __x64_sys_socket+0x1a/0x20
> [ 84.027473][ T2875] do_syscall_64+0x35/0xb0
> [ 84.029310][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.031710][ T2875] RIP: 0033:0x7fbbed5067db
> [ 84.033512][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
> [ 84.041069][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> [ 84.044342][ T2875] RAX: ffffffffffffffda RBX: 000000000000780a RCX: 00007fbbed5067db
> [ 84.047336][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
> [ 84.050451][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 000055a16963001a
> [ 84.053617][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
> [ 84.056885][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.059933][ T2875] </TASK>
> [ 84.061977][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 84.064619][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.067684][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.071207][ T2875] Call Trace:
> [ 84.072586][ T2875] <TASK>
> [ 84.073835][ T2875] dump_stack_lvl+0xcd/0x134
> [ 84.075862][ T2875] put_net.cold+0x1f/0x24
> [ 84.077663][ T2875] __sk_destruct+0x1f9/0x3b0
> [ 84.079540][ T2875] sk_destruct+0xa6/0xc0
> [ 84.081437][ T2875] __sk_free+0x5a/0x1b0
> [ 84.085862][ T2875] sk_free+0x6b/0x90
> [ 84.087628][ T2875] unix_release_sock+0x4d4/0x6d0
> [ 84.089575][ T2875] unix_release+0x2d/0x40
> [ 84.091333][ T2875] __sock_release+0x47/0xd0
> [ 84.093107][ T2875] ? __sock_release+0xd0/0xd0
> [ 84.095003][ T2875] sock_close+0x18/0x20
> [ 84.096801][ T2875] __fput+0x117/0x450
> [ 84.098375][ T2875] task_work_run+0x75/0xd0
> [ 84.100983][ T2875] exit_to_user_mode_prepare+0x273/0x280
> [ 84.103425][ T2875] syscall_exit_to_user_mode+0x19/0x60
> [ 84.105626][ T2875] do_syscall_64+0x42/0xb0
> [ 84.107471][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.109773][ T2875] RIP: 0033:0x7fbbed4f937b
> [ 84.111613][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
> [ 84.118931][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
> [ 84.122539][ T2875] RAX: 0000000000000000 RBX: 000000000000780a RCX: 00007fbbed4f937b
> [ 84.125766][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
> [ 84.129038][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 000055a16963001a
> [ 84.132217][ T2875] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffd7a1e6540
> [ 84.135522][ T2875] R13: 00007ffd7a1e7680 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.138787][ T2875] </TASK>
> [ 84.141378][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 84.143692][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.146720][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.150247][ T2875] Call Trace:
> [ 84.151721][ T2875] <TASK>
> [ 84.153004][ T2875] dump_stack_lvl+0xcd/0x134
> [ 84.154955][ T2875] get_net.cold+0x21/0x26
> [ 84.156772][ T2875] sk_alloc+0x1ca/0x8a0
> [ 84.158541][ T2875] unix_create1+0x81/0x2c0
> [ 84.160417][ T2875] unix_create+0x9a/0x130
> [ 84.162226][ T2875] __sock_create+0x20e/0x4f0
> [ 84.164112][ T2875] __sys_socket+0x6f/0x140
> [ 84.166350][ T2875] __x64_sys_socket+0x1a/0x20
> [ 84.168367][ T2875] do_syscall_64+0x35/0xb0
> [ 84.170319][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.172755][ T2875] RIP: 0033:0x7fbbed5067db
> [ 84.174630][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
> [ 84.181843][ T2875] RSP: 002b:00007ffd7a1e64e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> [ 84.185360][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
> [ 84.188587][ T2875] RDX: 0000000000000000 RSI: 0000000000080002 RDI: 0000000000000001
> [ 84.191962][ T2875] RBP: 000055a169630004 R08: 000000000000000d R09: 0000000000000000
> [ 84.195151][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
> [ 84.198247][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.201606][ T2875] </TASK>
> [ 84.203465][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 84.206040][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.209034][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.212497][ T2875] Call Trace:
> [ 84.213878][ T2875] <TASK>
> [ 84.215443][ T2875] dump_stack_lvl+0xcd/0x134
> [ 84.217370][ T2875] put_net.cold+0x1f/0x24
> [ 84.219202][ T2875] __sk_destruct+0x1f9/0x3b0
> [ 84.221245][ T2875] sk_destruct+0xa6/0xc0
> [ 84.223004][ T2875] __sk_free+0x5a/0x1b0
> [ 84.224776][ T2875] sk_free+0x6b/0x90
> [ 84.226342][ T2875] unix_release_sock+0x4d4/0x6d0
> [ 84.228268][ T2875] unix_release+0x2d/0x40
> [ 84.230137][ T2875] __sock_release+0x47/0xd0
> [ 84.231923][ T2875] ? __sock_release+0xd0/0xd0
> [ 84.233765][ T2875] sock_close+0x18/0x20
> [ 84.236000][ T2875] __fput+0x117/0x450
> [ 84.237704][ T2875] task_work_run+0x75/0xd0
> [ 84.239496][ T2875] exit_to_user_mode_prepare+0x273/0x280
> [ 84.242142][ T2875] syscall_exit_to_user_mode+0x19/0x60
> [ 84.244474][ T2875] do_syscall_64+0x42/0xb0
> [ 84.246441][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.248704][ T2875] RIP: 0033:0x7fbbed4f937b
> [ 84.250500][ T2875] Code: c3 48 8b 15 17 8b 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb c2 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8a 0d 00 f7 d8
> [ 84.257987][ T2875] RSP: 002b:00007ffd7a1e6538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
> [ 84.261471][ T2875] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fbbed4f937b
> [ 84.264691][ T2875] RDX: 00007ffd7a1e6540 RSI: 0000000000008933 RDI: 0000000000000004
> [ 84.267780][ T2875] RBP: 0000000000000004 R08: 000000000000000d R09: 0000000000000000
> [ 84.271032][ T2875] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd7a1e6540
> [ 84.274208][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.277498][ T2875] </TASK>
> [ 84.287045][ T2875] net_namespace: net=ffff888036278000 count=3
> [ 84.289271][ T2875] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.292514][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.296133][ T2875] Call Trace:
> [ 84.297568][ T2875] <TASK>
> [ 84.298859][ T2875] dump_stack_lvl+0xcd/0x134
> [ 84.300918][ T2875] get_net.cold+0x21/0x26
> [ 84.302637][ T2875] sk_alloc+0x1ca/0x8a0
> [ 84.304653][ T2875] inet_create+0x21e/0x7e0
> [ 84.306778][ T2875] __sock_create+0x20e/0x4f0
> [ 84.308690][ T2875] __sys_socket+0x6f/0x140
> [ 84.310513][ T2875] __x64_sys_socket+0x1a/0x20
> [ 84.312659][ T2875] do_syscall_64+0x35/0xb0
> [ 84.314573][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.316905][ T2875] RIP: 0033:0x7fbbed5067db
> [ 84.318820][ T2875] Code: 73 01 c3 48 8b 0d b5 b6 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 b6 0c 00 f7 d8 64 89 01 48
> [ 84.325864][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> [ 84.329133][ T2875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbed5067db
> [ 84.332546][ T2875] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
> [ 84.336076][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
> [ 84.339372][ T2875] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
> [ 84.342502][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.345680][ T2875] </TASK>
> [ 84.353592][ C0] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
> [ 84.358423][ C0] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=3
> [ 84.363617][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.366717][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.370399][ C0] Call Trace:
> [ 84.371855][ C0] <IRQ>
> [ 84.373042][ C0] dump_stack_lvl+0xcd/0x134
> [ 84.374866][ C0] sock_net+0x118/0x160
> [ 84.376672][ C0] inet_ehash_insert+0x98/0x490
> [ 84.378737][ C0] inet_csk_reqsk_queue_hash_add+0x5b/0x80
> [ 84.381582][ C0] tcp_conn_request+0x1082/0x14a0
> [ 84.383746][ C0] ? tcp_v4_conn_request+0x6c/0x120
> [ 84.386019][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.388249][ C0] tcp_v4_conn_request+0x6c/0x120
> [ 84.390356][ C0] tcp_v6_conn_request+0x157/0x1d0
> [ 84.392458][ C0] tcp_rcv_state_process+0x443/0x1f20
> [ 84.394725][ C0] ? tcp_v4_do_rcv+0x1b5/0x600
> [ 84.396681][ C0] tcp_v4_do_rcv+0x1b5/0x600
> [ 84.398620][ C0] tcp_v4_rcv+0x1bad/0x1de0
> [ 84.400791][ C0] ip_protocol_deliver_rcu+0x52/0x630
> [ 84.403773][ C0] ip_local_deliver_finish+0xb4/0x1d0
> [ 84.406060][ C0] ip_local_deliver+0xa7/0x320
> [ 84.408075][ C0] ? ip_protocol_deliver_rcu+0x630/0x630
> [ 84.410374][ C0] ip_rcv_finish+0x108/0x170
> [ 84.412225][ C0] ip_rcv+0x69/0x2f0
> [ 84.413859][ C0] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
> [ 84.416510][ C0] __netif_receive_skb_one_core+0x6a/0xa0
> [ 84.418949][ C0] __netif_receive_skb+0x24/0xa0
> [ 84.421102][ C0] process_backlog+0x11d/0x320
> [ 84.422978][ C0] __napi_poll+0x3d/0x3e0
> [ 84.424808][ C0] net_rx_action+0x34e/0x480
> [ 84.426713][ C0] __do_softirq+0xde/0x539
> [ 84.428458][ C0] ? ip_finish_output2+0x401/0x1060
> [ 84.430566][ C0] do_softirq+0xb1/0xf0
> [ 84.432611][ C0] </IRQ>
> [ 84.433909][ C0] <TASK>
> [ 84.435285][ C0] __local_bh_enable_ip+0xbf/0xd0
> [ 84.437418][ C0] ip_finish_output2+0x42f/0x1060
> [ 84.439382][ C0] ? __ip_finish_output+0x471/0x840
> [ 84.443928][ C0] __ip_finish_output+0x471/0x840
> [ 84.445988][ C0] ? write_comp_data+0x1c/0x70
> [ 84.448014][ C0] ip_finish_output+0x32/0x140
> [ 84.449946][ C0] ip_output+0xb2/0x3b0
> [ 84.451881][ C0] ? __ip_finish_output+0x840/0x840
> [ 84.453979][ C0] ip_local_out+0x6e/0xd0
> [ 84.455733][ C0] __ip_queue_xmit+0x306/0x950
> [ 84.457580][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.459761][ C0] ? sock_net+0x11d/0x160
> [ 84.461577][ C0] __tcp_transmit_skb+0x845/0x1380
> [ 84.463573][ C0] tcp_connect+0xb02/0x1c80
> [ 84.465713][ C0] ? preempt_schedule_common+0x32/0x80
> [ 84.468040][ C0] tcp_v4_connect+0x72c/0x820
> [ 84.470357][ C0] __inet_stream_connect+0x157/0x630
> [ 84.473029][ C0] ? kmem_cache_alloc_trace+0x556/0x690
> [ 84.475392][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.477659][ C0] tcp_sendmsg_locked+0xf16/0x1440
> [ 84.479765][ C0] ? __local_bh_enable_ip+0x72/0xd0
> [ 84.481880][ C0] tcp_sendmsg+0x2b/0x40
> [ 84.483651][ C0] inet_sendmsg+0x45/0x70
> [ 84.485640][ C0] ? inet_send_prepare+0x2e0/0x2e0
> [ 84.487807][ C0] ____sys_sendmsg+0x390/0x3e0
> [ 84.489794][ C0] ? debug_object_activate+0x193/0x210
> [ 84.491915][ C0] ___sys_sendmsg+0x97/0xe0
> [ 84.493713][ C0] ? __lock_acquire+0x3b2/0x3160
> [ 84.495653][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.497772][ C0] ? __fget_light+0x99/0xe0
> [ 84.499582][ C0] __sys_sendmsg+0x88/0x100
> [ 84.501976][ C0] do_syscall_64+0x35/0xb0
> [ 84.503841][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.506292][ C0] RIP: 0033:0x7fbbed5ec0f7
> [ 84.508154][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
> [ 84.515353][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [ 84.518867][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
> [ 84.522178][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
> [ 84.525355][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000000 R09: 0000000000000000
> [ 84.528392][ C0] R10: 1999999999999999 R11: 0000000000000246 R12: 00007ffd7a1e7630
> [ 84.531766][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.535012][ C0] </TASK>
> [ 84.554710][ C0] net_namespace: net=ffff888036278000 count=3
> [ 84.557308][ C0] CPU: 0 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.560308][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.563719][ C0] Call Trace:
> [ 84.565561][ C0] <IRQ>
> [ 84.566936][ C0] dump_stack_lvl+0xcd/0x134
> [ 84.569111][ C0] put_net.cold+0x1f/0x24
> [ 84.571071][ C0] __sk_destruct+0x1f9/0x3b0
> [ 84.572995][ C0] sk_destruct+0xa6/0xc0
> [ 84.574855][ C0] __sk_free+0x5a/0x1b0
> [ 84.576633][ C0] sk_free+0x6b/0x90
> [ 84.578324][ C0] deferred_put_nlk_sk+0xb7/0x150
> [ 84.580383][ C0] rcu_core+0x37d/0xa00
> [ 84.582144][ C0] ? rcu_core+0x31e/0xa00
> [ 84.583970][ C0] __do_softirq+0xde/0x539
> [ 84.586435][ C0] ? tcp_sendmsg+0x1d/0x40
> [ 84.588290][ C0] do_softirq+0xb1/0xf0
> [ 84.590022][ C0] </IRQ>
> [ 84.591451][ C0] <TASK>
> [ 84.592751][ C0] __local_bh_enable_ip+0xbf/0xd0
> [ 84.594866][ C0] tcp_sendmsg+0x1d/0x40
> [ 84.596737][ C0] inet_sendmsg+0x45/0x70
> [ 84.598573][ C0] ? inet_send_prepare+0x2e0/0x2e0
> [ 84.600679][ C0] ____sys_sendmsg+0x390/0x3e0
> [ 84.602707][ C0] ___sys_sendmsg+0x97/0xe0
> [ 84.604712][ C0] ? __lock_acquire+0x3b2/0x3160
> [ 84.607154][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.609429][ C0] ? __fget_light+0x99/0xe0
> [ 84.611412][ C0] __sys_sendmsg+0x88/0x100
> [ 84.613325][ C0] do_syscall_64+0x35/0xb0
> [ 84.615297][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.617704][ C0] RIP: 0033:0x7fbbed5ec0f7
> [ 84.619846][ C0] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
> [ 84.627115][ C0] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [ 84.630656][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
> [ 84.633812][ C0] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
> [ 84.638113][ C0] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
> [ 84.641422][ C0] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
> [ 84.644856][ C0] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.648113][ C0] </TASK>
> [ 84.745096][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
> [ 84.749028][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
> [ 84.754738][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.757944][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.761531][ C2] Call Trace:
> [ 84.762930][ C2] <IRQ>
> [ 84.764209][ C2] dump_stack_lvl+0xcd/0x134
> [ 84.766204][ C2] sock_net+0x118/0x160
> [ 84.768239][ C2] __inet_lookup_established+0x127/0x360
> [ 84.770835][ C2] tcp_v4_rcv+0xbae/0x1de0
> [ 84.772780][ C2] ip_protocol_deliver_rcu+0x52/0x630
> [ 84.775163][ C2] ip_local_deliver_finish+0xb4/0x1d0
> [ 84.777395][ C2] ip_local_deliver+0xa7/0x320
> [ 84.779347][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
> [ 84.781711][ C2] ip_rcv_finish+0x108/0x170
> [ 84.783656][ C2] ip_rcv+0x69/0x2f0
> [ 84.785609][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
> [ 84.787945][ C2] __netif_receive_skb_one_core+0x6a/0xa0
> [ 84.790338][ C2] __netif_receive_skb+0x24/0xa0
> [ 84.792346][ C2] process_backlog+0x11d/0x320
> [ 84.794431][ C2] __napi_poll+0x3d/0x3e0
> [ 84.796592][ C2] net_rx_action+0x34e/0x480
> [ 84.798469][ C2] __do_softirq+0xde/0x539
> [ 84.800514][ C2] ? sock_setsockopt+0x103/0x19f0
> [ 84.803153][ C2] do_softirq+0xb1/0xf0
> [ 84.805116][ C2] </IRQ>
> [ 84.806534][ C2] <TASK>
> [ 84.807900][ C2] __local_bh_enable_ip+0xbf/0xd0
> [ 84.810002][ C2] sock_setsockopt+0x103/0x19f0
> [ 84.812178][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.814535][ C2] __sys_setsockopt+0x2d1/0x330
> [ 84.816496][ C2] __x64_sys_setsockopt+0x22/0x30
> [ 84.818633][ C2] do_syscall_64+0x35/0xb0
> [ 84.820620][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.823211][ C2] RIP: 0033:0x7fbbed50677e
> [ 84.825098][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
> [ 84.832280][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
> [ 84.835905][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
> [ 84.839164][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
> [ 84.842605][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
> [ 84.845893][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
> [ 84.849091][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.852527][ C2] </TASK>
> [ 84.854068][ C2] net_namespace: sock=ffff88800e6a0000 is accessing untracked net=ffff888036278000
> [ 84.858121][ C2] net_namespace: sk->sk_family=10 sk->sk_prot_creator->name=(efault) sk->sk_state=12 sk->sk_flags=0xffff88800bbd8c40 net->ns.count=2
> [ 84.863384][ C2] CPU: 2 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 84.866705][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 84.870581][ C2] Call Trace:
> [ 84.872201][ C2] <IRQ>
> [ 84.873449][ C2] dump_stack_lvl+0xcd/0x134
> [ 84.875838][ C2] sock_net+0x118/0x160
> [ 84.877670][ C2] __inet_lookup_established+0x24f/0x360
> [ 84.880054][ C2] tcp_v4_rcv+0xbae/0x1de0
> [ 84.881976][ C2] ip_protocol_deliver_rcu+0x52/0x630
> [ 84.884083][ C2] ip_local_deliver_finish+0xb4/0x1d0
> [ 84.886449][ C2] ip_local_deliver+0xa7/0x320
> [ 84.888449][ C2] ? ip_protocol_deliver_rcu+0x630/0x630
> [ 84.890881][ C2] ip_rcv_finish+0x108/0x170
> [ 84.893022][ C2] ip_rcv+0x69/0x2f0
> [ 84.894792][ C2] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
> [ 84.897049][ C2] __netif_receive_skb_one_core+0x6a/0xa0
> [ 84.899296][ C2] __netif_receive_skb+0x24/0xa0
> [ 84.901420][ C2] process_backlog+0x11d/0x320
> [ 84.903470][ C2] __napi_poll+0x3d/0x3e0
> [ 84.905410][ C2] net_rx_action+0x34e/0x480
> [ 84.907399][ C2] __do_softirq+0xde/0x539
> [ 84.909259][ C2] ? sock_setsockopt+0x103/0x19f0
> [ 84.914100][ C2] do_softirq+0xb1/0xf0
> [ 84.915946][ C2] </IRQ>
> [ 84.917252][ C2] <TASK>
> [ 84.918598][ C2] __local_bh_enable_ip+0xbf/0xd0
> [ 84.920777][ C2] sock_setsockopt+0x103/0x19f0
> [ 84.922691][ C2] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 84.924959][ C2] __sys_setsockopt+0x2d1/0x330
> [ 84.926866][ C2] __x64_sys_setsockopt+0x22/0x30
> [ 84.928837][ C2] do_syscall_64+0x35/0xb0
> [ 84.930807][ C2] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 84.933016][ C2] RIP: 0033:0x7fbbed50677e
> [ 84.934935][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
> [ 84.942206][ C2] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
> [ 84.945740][ C2] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fbbed50677e
> [ 84.948952][ C2] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
> [ 84.952352][ C2] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
> [ 84.955693][ C2] R10: 00007ffd7a1e762c R11: 0000000000000217 R12: 00007ffd7a1e7630
> [ 84.958899][ C2] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 84.962649][ C2] </TASK>
> [ 87.351519][ T2875] net_namespace: net=ffff888036278000 count=2
> [ 87.354530][ T2875] CPU: 1 PID: 2875 Comm: a.out Not tainted 5.17.0-dirty #748
> [ 87.357551][ T2875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 87.361185][ T2875] Call Trace:
> [ 87.362550][ T2875] <TASK>
> [ 87.363891][ T2875] dump_stack_lvl+0xcd/0x134
> [ 87.365794][ T2875] put_net.cold+0x1f/0x24
> [ 87.367655][ T2875] free_nsproxy+0x1fe/0x2c0
> [ 87.369737][ T2875] switch_task_namespaces+0x83/0x90
> [ 87.372158][ T2875] do_exit+0x566/0x13d0
> [ 87.374030][ T2875] ? find_held_lock+0x2b/0x80
> [ 87.376164][ T2875] ? get_signal+0x1ef/0x16b0
> [ 87.378079][ T2875] do_group_exit+0x51/0x100
> [ 87.379966][ T2875] get_signal+0x257/0x16b0
> [ 87.382106][ T2875] arch_do_signal_or_restart+0xeb/0x7f0
> [ 87.384334][ T2875] exit_to_user_mode_prepare+0x189/0x280
> [ 87.386547][ T2875] syscall_exit_to_user_mode+0x19/0x60
> [ 87.388895][ T2875] do_syscall_64+0x42/0xb0
> [ 87.390765][ T2875] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 87.393095][ T2875] RIP: 0033:0x7fbbed5ec0f7
> [ 87.395241][ T2875] Code: Unable to access opcode bytes at RIP 0x7fbbed5ec0cd.
> [ 87.398613][ T2875] RSP: 002b:00007ffd7a1e7618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [ 87.402381][ T2875] RAX: ffffffffffffff96 RBX: 0000000000000004 RCX: 00007fbbed5ec0f7
> [ 87.405723][ T2875] RDX: 0000000020000811 RSI: 00007ffd7a1e7630 RDI: 0000000000000004
> [ 87.409023][ T2875] RBP: 00007ffd7a1e762c R08: 0000000000000004 R09: 0000000000000000
> [ 87.412238][ T2875] R10: 00007ffd7a1e762c R11: 0000000000000246 R12: 00007ffd7a1e7630
> [ 87.415477][ T2875] R13: 0000000000000003 R14: 00007ffd7a1e7680 R15: 0000000000000000
> [ 87.418590][ T2875] </TASK>
> [ 87.427287][ T2875] a.out (2875) used greatest stack depth: 11320 bytes left
> [ 234.697150][ C0] net_namespace: net=ffff888036278000 count=1
> [ 234.710780][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
> [ 234.720528][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 234.727887][ C0] Call Trace:
> [ 234.730895][ C0] <IRQ>
> [ 234.734086][ C0] dump_stack_lvl+0xcd/0x134
> [ 234.738276][ C0] put_net.cold+0x1f/0x24
> [ 234.742162][ C0] __sk_destruct+0x1f9/0x3b0
> [ 234.746326][ C0] sk_destruct+0xa6/0xc0
> [ 234.749219][ C0] __sk_free+0x5a/0x1b0
> [ 234.751159][ C0] sk_free+0x6b/0x90
> [ 234.753239][ C0] tcp_write_timer+0x1ff/0x240
> [ 234.755181][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 234.757290][ C0] call_timer_fn+0xe3/0x4f0
> [ 234.759095][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 234.761341][ C0] run_timer_softirq+0x812/0xac0
> [ 234.763337][ C0] __do_softirq+0xde/0x539
> [ 234.765104][ C0] irq_exit_rcu+0xb6/0xf0
> [ 234.766789][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
> [ 234.769139][ C0] </IRQ>
> [ 234.770482][ C0] <TASK>
> [ 234.771702][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 234.774065][ C0] RIP: 0010:default_idle+0xb/0x10
> [ 234.776010][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
> [ 234.783374][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
> [ 234.785849][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
> [ 234.789116][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 234.792254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
> [ 234.795720][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
> [ 234.798927][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
> [ 234.802563][ C0] default_idle_call+0x6a/0x260
> [ 234.804592][ C0] do_idle+0x20c/0x260
> [ 234.806332][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
> [ 234.808693][ C0] cpu_startup_entry+0x14/0x20
> [ 234.810686][ C0] start_kernel+0x8f7/0x91e
> [ 234.812538][ C0] secondary_startup_64_no_verify+0xc3/0xcb
> [ 234.815399][ C0] </TASK>
> [ 234.816785][ C0] net_namespace: Releasing net=ffff888036278000 net->ns.count=0 in_use=0
> [ 234.820358][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
> [ 234.823664][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 234.827160][ C0] Call Trace:
> [ 234.828540][ C0] <IRQ>
> [ 234.829812][ C0] dump_stack_lvl+0xcd/0x134
> [ 234.831775][ C0] __put_net+0xc8/0x130
> [ 234.834723][ C0] put_net+0x7d/0xb0
> [ 234.836516][ C0] __sk_destruct+0x1f9/0x3b0
> [ 234.838546][ C0] sk_destruct+0xa6/0xc0
> [ 234.840453][ C0] __sk_free+0x5a/0x1b0
> [ 234.842217][ C0] sk_free+0x6b/0x90
> [ 234.844007][ C0] tcp_write_timer+0x1ff/0x240
> [ 234.845938][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 234.848146][ C0] call_timer_fn+0xe3/0x4f0
> [ 234.850145][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 234.852503][ C0] run_timer_softirq+0x812/0xac0
> [ 234.855025][ C0] __do_softirq+0xde/0x539
> [ 234.856908][ C0] irq_exit_rcu+0xb6/0xf0
> [ 234.858712][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
> [ 234.860980][ C0] </IRQ>
> [ 234.862279][ C0] <TASK>
> [ 234.863598][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 234.865966][ C0] RIP: 0010:default_idle+0xb/0x10
> [ 234.868109][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
> [ 234.875407][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
> [ 234.877869][ C0] RAX: 000000000002246b RBX: 0000000000000000 RCX: ffffffff842622c0
> [ 234.881349][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 234.885150][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
> [ 234.888442][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
> [ 234.891831][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
> [ 234.895041][ C0] default_idle_call+0x6a/0x260
> [ 234.897019][ C0] do_idle+0x20c/0x260
> [ 234.898782][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
> [ 234.901456][ C0] cpu_startup_entry+0x14/0x20
> [ 234.903364][ C0] start_kernel+0x8f7/0x91e
> [ 234.905180][ C0] secondary_startup_64_no_verify+0xc3/0xcb
> [ 234.907426][ C0] </TASK>
> [ 234.909661][ C0] INFO: About to destroy net=ffff888036278000 sk=ffff888036058b80
> [ 234.913082][ C0] sk->sk_family=2 sk->sk_prot_creator->name=TCP sk->sk_state=7 sk->sk_flags=0x301 net->ns.count=0
> [ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
> [ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
> [ 260.317639][ C0] ------------[ cut here ]------------
> [ 260.323152][ C0] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:461 tcp_retransmit_timer.cold+0xdf/0xe6
> [ 260.334901][ C0] Modules linked in:
> [ 260.338356][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
> [ 260.342593][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 260.346821][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
> [ 260.349704][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
> [ 260.359054][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
> [ 260.362281][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
> [ 260.365646][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
> [ 260.368691][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
> [ 260.371828][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
> [ 260.375009][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
> [ 260.378533][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
> [ 260.382408][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 260.385155][ C0] CR2: 00007fbbed4c8dc0 CR3: 000000000d765000 CR4: 00000000000506f0
> [ 260.388406][ C0] Call Trace:
> [ 260.389929][ C0] <IRQ>
> [ 260.391386][ C0] ? lockdep_hardirqs_on+0x79/0x100
> [ 260.393743][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 260.396147][ C0] ? ktime_get+0x2d3/0x400
> [ 260.398064][ C0] tcp_write_timer_handler+0x257/0x3f0
> [ 260.400357][ C0] tcp_write_timer+0x19c/0x240
> [ 260.402389][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 260.405068][ C0] call_timer_fn+0xe3/0x4f0
> [ 260.407041][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 260.409308][ C0] run_timer_softirq+0x812/0xac0
> [ 260.411613][ C0] __do_softirq+0xde/0x539
> [ 260.413646][ C0] irq_exit_rcu+0xb6/0xf0
> [ 260.415607][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
> [ 260.417882][ C0] </IRQ>
> [ 260.419276][ C0] <TASK>
> [ 260.420672][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 260.423039][ C0] RIP: 0010:default_idle+0xb/0x10
> [ 260.425291][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
> [ 260.433105][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
> [ 260.435589][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
> [ 260.438759][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 260.441945][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
> [ 260.445777][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
> [ 260.449093][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
> [ 260.452404][ C0] default_idle_call+0x6a/0x260
> [ 260.454562][ C0] do_idle+0x20c/0x260
> [ 260.456353][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
> [ 260.458887][ C0] cpu_startup_entry+0x14/0x20
> [ 260.461152][ C0] start_kernel+0x8f7/0x91e
> [ 260.463226][ C0] secondary_startup_64_no_verify+0xc3/0xcb
> [ 260.465718][ C0] </TASK>
> [ 260.467111][ C0] Kernel panic - not syncing: panic_on_warn set ...
> [ 260.469664][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #748
> [ 260.472684][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> [ 260.476355][ C0] Call Trace:
> [ 260.477800][ C0] <IRQ>
> [ 260.479141][ C0] dump_stack_lvl+0xcd/0x134
> [ 260.481197][ C0] panic+0x1d0/0x537
> [ 260.482913][ C0] ? __warn.cold+0xb0/0x228
> [ 260.484892][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
> [ 260.487190][ C0] __warn.cold+0xc6/0x228
> [ 260.488963][ C0] ? tcp_retransmit_timer.cold+0xdf/0xe6
> [ 260.491241][ C0] report_bug+0x188/0x1d0
> [ 260.493109][ C0] handle_bug+0x3c/0x60
> [ 260.495107][ C0] exc_invalid_op+0x14/0x70
> [ 260.497016][ C0] asm_exc_invalid_op+0x12/0x20
> [ 260.499037][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
> [ 260.501651][ C0] Code: 10 48 c7 c7 60 9d ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 a8 25 f2 ff <0f> 0b e9 b6 40 5f ff e8 f3 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
> [ 260.508760][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
> [ 260.511211][ C0] RAX: 0000000000000063 RBX: ffff888036278000 RCX: ffffffff842622c0
> [ 260.514559][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
> [ 260.517942][ C0] RBP: ffff88800e2d8000 R08: ffffffff81170398 R09: 0000000000000000
> [ 260.521127][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
> [ 260.524366][ C0] R13: ffff88800e2d8000 R14: ffff88800e2d8098 R15: ffff88800e2d8080
> [ 260.528260][ C0] ? vprintk+0x88/0x90
> [ 260.530145][ C0] ? lockdep_hardirqs_on+0x79/0x100
> [ 260.532452][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
> [ 260.535072][ C0] ? ktime_get+0x2d3/0x400
> [ 260.536958][ C0] tcp_write_timer_handler+0x257/0x3f0
> [ 260.539214][ C0] tcp_write_timer+0x19c/0x240
> [ 260.541237][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 260.543627][ C0] call_timer_fn+0xe3/0x4f0
> [ 260.545677][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
> [ 260.547973][ C0] run_timer_softirq+0x812/0xac0
> [ 260.550053][ C0] __do_softirq+0xde/0x539
> [ 260.551937][ C0] irq_exit_rcu+0xb6/0xf0
> [ 260.553767][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
> [ 260.556439][ C0] </IRQ>
> [ 260.557744][ C0] <TASK>
> [ 260.559051][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 260.561515][ C0] RIP: 0010:default_idle+0xb/0x10
> [ 260.563619][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 93 09 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
> [ 260.570866][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000206
> [ 260.573255][ C0] RAX: 0000000000024239 RBX: 0000000000000000 RCX: ffffffff842622c0
> [ 260.577004][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> [ 260.580254][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
> [ 260.583366][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
> [ 260.586553][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
> [ 260.589759][ C0] default_idle_call+0x6a/0x260
> [ 260.591774][ C0] do_idle+0x20c/0x260
> [ 260.593618][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
> [ 260.596736][ C0] cpu_startup_entry+0x14/0x20
> [ 260.598736][ C0] start_kernel+0x8f7/0x91e
> [ 260.600659][ C0] secondary_startup_64_no_verify+0xc3/0xcb
> [ 260.603066][ C0] </TASK>
> [ 260.605294][ C0] Kernel Offset: disabled
> [ 260.607310][ C0] Rebooting in 10 seconds..
> ------------------------------------------------------------
>
> Would you check where this PF_INET6 socket is created at and whether
> this PF_INET6 socket is taking a reference to the net namespace?
>
Try removing NFS from your kernel .config ? If your repro still works,
then another user of kernel TCP socket needs some care.
NFS maintainers and other folks are already working on fixing this issue,
which is partly caused by fs/file_table.c being able to delay fput(),
look at code in fput_many()
Kernel TCP sockets are tricky, they (for good reasons) do not take a
reference on the net namespace.
This also means that users of such sockets need to make sure the
various tcp timers have been completed,
as sk_stop_timer() is not using del_timer_sync()
Even after a synchronous fput(), there is no guarantee that another
cpu is not running some of the socket timers functions.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 16:46 ` Eric Dumazet
@ 2022-04-09 17:47 ` Eric Dumazet
2022-04-09 17:55 ` Eric Dumazet
2022-04-10 11:36 ` Tetsuo Handa
0 siblings, 2 replies; 11+ messages in thread
From: Eric Dumazet @ 2022-04-09 17:47 UTC (permalink / raw)
To: Tetsuo Handa
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On Sat, Apr 9, 2022 at 9:46 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Sat, Apr 9, 2022 at 1:19 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >
> > Hello, bpf developers.
> >
> > syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).
>
>
> Try removing NFS from your kernel .config ? If your repro still works,
> then another user of kernel TCP socket needs some care.
>
> NFS maintainers and other folks are already working on fixing this issue,
> which is partly caused by fs/file_table.c being able to delay fput(),
> look at code in fput_many()
>
> Kernel TCP sockets are tricky, they (for good reasons) do not take a
> reference on the net namespace.
>
> This also means that users of such sockets need to make sure the
> various tcp timers have been completed,
> as sk_stop_timer() is not using del_timer_sync()
>
> Even after a synchronous fput(), there is no guarantee that another
> cpu is not running some of the socket timers functions.
So please add to your tree the NFS fix:
commit f00432063db1a0db484e85193eccc6845435b80e
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Sun Apr 3 15:58:11 2022 -0400
SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
We must ensure that all sockets are closed before we call xprt_free()
and release the reference to the net namespace. The problem is that
calling fput() will defer closing the socket until delayed_fput() gets
called.
Let's fix the situation by allowing rpciod and the transport teardown
code (which runs on the system wq) to call __fput_sync(), and directly
close the socket.
Reported-by: Felix Fu <foyjog@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Fixes: a73881c96d73 ("SUNRPC: Fix an Oops in udp_poll()")
Cc: stable@vger.kernel.org # 5.1.x: 3be232f11a3c: SUNRPC: Prevent
immediate close+reconnect
Cc: stable@vger.kernel.org # 5.1.x: 89f42494f92f: SUNRPC: Don't
call connect() more than once on a TCP socket
Cc: stable@vger.kernel.org # 5.1.x
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Then on top of that, add the following fix (I will formally submit
this one once back to work, Monday morning)
diff --git a/include/net/inet_connection_sock.h
b/include/net/inet_connection_sock.h
index 3908296d103fd2de9284adea64dba94fe6b8720f..e2c856ae4fdbef5bd3c7728e376786b804e2d4f1
100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -171,6 +171,7 @@ void inet_csk_init_xmit_timers(struct sock *sk,
void (*delack_handler)(struct timer_list *),
void (*keepalive_handler)(struct timer_list *));
void inet_csk_clear_xmit_timers(struct sock *sk);
+void inet_csk_clear_xmit_timers_sync(struct sock *sk);
static inline void inet_csk_schedule_ack(struct sock *sk)
{
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 1e5b53c2bb2670fc90b789e853458f5c86a00c27..aab83b766014d0a091a73bdc13376d9cdae99b27
100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -581,6 +581,17 @@ void inet_csk_clear_xmit_timers(struct sock *sk)
}
EXPORT_SYMBOL(inet_csk_clear_xmit_timers);
+void inet_csk_clear_xmit_timers_sync(struct sock *sk)
+{
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ icsk->icsk_pending = icsk->icsk_ack.pending = 0;
+
+ sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);
+ sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);
+ sk_stop_timer_sync(sk, &sk->sk_timer);
+}
+
void inet_csk_delete_keepalive_timer(struct sock *sk)
{
sk_stop_timer(sk, &sk->sk_timer);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e31cf137c6140f76f838b4a0dcddf9f104ad653b..3dacd202bf2af43c55ffe820c08316150d2018ea
100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2928,6 +2928,8 @@ void tcp_close(struct sock *sk, long timeout)
lock_sock(sk);
__tcp_close(sk, timeout);
release_sock(sk);
+ if (!sk->sk_net_refcnt)
+ inet_csk_clear_xmit_timers_sync(sk);
sock_put(sk);
}
EXPORT_SYMBOL(tcp_close);
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 17:47 ` Eric Dumazet
@ 2022-04-09 17:55 ` Eric Dumazet
2022-04-10 0:38 ` Tetsuo Handa
2022-04-10 11:36 ` Tetsuo Handa
1 sibling, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2022-04-09 17:55 UTC (permalink / raw)
To: Tetsuo Handa
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On Sat, Apr 9, 2022 at 10:47 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Sat, Apr 9, 2022 at 9:46 AM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Sat, Apr 9, 2022 at 1:19 AM Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> > >
> > > Hello, bpf developers.
> > >
> > > syzbot is reporting use-after-free increment at __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS).
> >
> >
> > Try removing NFS from your kernel .config ? If your repro still works,
> > then another user of kernel TCP socket needs some care.
> >
> > NFS maintainers and other folks are already working on fixing this issue,
> > which is partly caused by fs/file_table.c being able to delay fput(),
> > look at code in fput_many()
> >
> > Kernel TCP sockets are tricky, they (for good reasons) do not take a
> > reference on the net namespace.
> >
> > This also means that users of such sockets need to make sure the
> > various tcp timers have been completed,
> > as sk_stop_timer() is not using del_timer_sync()
> >
> > Even after a synchronous fput(), there is no guarantee that another
> > cpu is not running some of the socket timers functions.
>
> So please add to your tree the NFS fix:
>
> commit f00432063db1a0db484e85193eccc6845435b80e
> Author: Trond Myklebust <trond.myklebust@hammerspace.com>
> Date: Sun Apr 3 15:58:11 2022 -0400
>
> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
>
> We must ensure that all sockets are closed before we call xprt_free()
> and release the reference to the net namespace. The problem is that
> calling fput() will defer closing the socket until delayed_fput() gets
> called.
> Let's fix the situation by allowing rpciod and the transport teardown
> code (which runs on the system wq) to call __fput_sync(), and directly
> close the socket.
>
> Reported-by: Felix Fu <foyjog@gmail.com>
> Acked-by: Al Viro <viro@zeniv.linux.org.uk>
> Fixes: a73881c96d73 ("SUNRPC: Fix an Oops in udp_poll()")
> Cc: stable@vger.kernel.org # 5.1.x: 3be232f11a3c: SUNRPC: Prevent
> immediate close+reconnect
> Cc: stable@vger.kernel.org # 5.1.x: 89f42494f92f: SUNRPC: Don't
> call connect() more than once on a TCP socket
> Cc: stable@vger.kernel.org # 5.1.x
> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
>
> Then on top of that, add the following fix (I will formally submit
> this one once back to work, Monday morning)
>
> diff --git a/include/net/inet_connection_sock.h
> b/include/net/inet_connection_sock.h
> index 3908296d103fd2de9284adea64dba94fe6b8720f..e2c856ae4fdbef5bd3c7728e376786b804e2d4f1
> 100644
> --- a/include/net/inet_connection_sock.h
> +++ b/include/net/inet_connection_sock.h
> @@ -171,6 +171,7 @@ void inet_csk_init_xmit_timers(struct sock *sk,
> void (*delack_handler)(struct timer_list *),
> void (*keepalive_handler)(struct timer_list *));
> void inet_csk_clear_xmit_timers(struct sock *sk);
> +void inet_csk_clear_xmit_timers_sync(struct sock *sk);
>
> static inline void inet_csk_schedule_ack(struct sock *sk)
> {
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index 1e5b53c2bb2670fc90b789e853458f5c86a00c27..aab83b766014d0a091a73bdc13376d9cdae99b27
> 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -581,6 +581,17 @@ void inet_csk_clear_xmit_timers(struct sock *sk)
> }
> EXPORT_SYMBOL(inet_csk_clear_xmit_timers);
>
> +void inet_csk_clear_xmit_timers_sync(struct sock *sk)
> +{
> + struct inet_connection_sock *icsk = inet_csk(sk);
> +
> + icsk->icsk_pending = icsk->icsk_ack.pending = 0;
> +
> + sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);
> + sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);
> + sk_stop_timer_sync(sk, &sk->sk_timer);
> +}
> +
> void inet_csk_delete_keepalive_timer(struct sock *sk)
> {
> sk_stop_timer(sk, &sk->sk_timer);
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index e31cf137c6140f76f838b4a0dcddf9f104ad653b..3dacd202bf2af43c55ffe820c08316150d2018ea
> 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -2928,6 +2928,8 @@ void tcp_close(struct sock *sk, long timeout)
> lock_sock(sk);
> __tcp_close(sk, timeout);
> release_sock(sk);
> + if (!sk->sk_net_refcnt)
> + inet_csk_clear_xmit_timers_sync(sk);
> sock_put(sk);
> }
> EXPORT_SYMBOL(tcp_close);
Side note: We will probably be able to revert this patch, that perhaps
was working around the real issue.
commit 4ee806d51176ba7b8ff1efd81f271d7252e03a1d
Author: Dan Streetman <ddstreet@ieee.org>
Date: Thu Jan 18 16:14:26 2018 -0500
net: tcp: close sock if net namespace is exiting
When a tcp socket is closed, if it detects that its net namespace is
exiting, close immediately and do not wait for FIN sequence.
For normal sockets, a reference is taken to their net namespace, so it will
never exit while the socket is open. However, kernel sockets do not take a
reference to their net namespace, so it may begin exiting while the kernel
socket is still open. In this case if the kernel socket is a tcp socket,
it will stay open trying to complete its close sequence. The sock's dst(s)
hold a reference to their interface, which are all transferred to the
namespace's loopback interface when the real interfaces are taken down.
When the namespace tries to take down its loopback interface, it hangs
waiting for all references to the loopback interface to release, which
results in messages like:
unregister_netdevice: waiting for lo to become free. Usage count = 1
These messages continue until the socket finally times out and closes.
Since the net namespace cleanup holds the net_mutex while calling its
registered pernet callbacks, any new net namespace initialization is
blocked until the current net namespace finishes exiting.
After this change, the tcp socket notices the exiting net namespace, and
closes immediately, releasing its dst(s) and their reference to the
loopback interface, which lets the net namespace continue exiting.
Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1711407
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=97811
Signed-off-by: Dan Streetman <ddstreet@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 17:55 ` Eric Dumazet
@ 2022-04-10 0:38 ` Tetsuo Handa
2022-04-10 5:39 ` Tetsuo Handa
0 siblings, 1 reply; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-10 0:38 UTC (permalink / raw)
To: Eric Dumazet
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On 2022/04/10 1:46, Eric Dumazet wrote:
> Try removing NFS from your kernel .config ? If your repro still works,
> then another user of kernel TCP socket needs some care.
Since my .config is CONFIG_NETWORK_FILESYSTEMS=n, NFS is irrelevant.
On 2022/04/10 2:47, Eric Dumazet wrote:
> So please add to your tree the NFS fix:
>
> commit f00432063db1a0db484e85193eccc6845435b80e
> Author: Trond Myklebust <trond.myklebust@hammerspace.com>
> Date: Sun Apr 3 15:58:11 2022 -0400
>
> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
Since CONFIG_SUNRPC depends on CONFIG_NETWORK_FILESYSTEMS=y,
this NFS fix will be also irrelevant.
On 2022/04/10 2:55, Eric Dumazet wrote:
> Side note: We will probably be able to revert this patch, that perhaps
> was working around the real issue.
>
> commit 4ee806d51176ba7b8ff1efd81f271d7252e03a1d
> Author: Dan Streetman <ddstreet@ieee.org>
> Date: Thu Jan 18 16:14:26 2018 -0500
>
> net: tcp: close sock if net namespace is exiting
I uploaded my .config at https://I-love.SAKURA.ne.jp/tmp/config-5.17
so that you can try this reproducer using my .config file.
I haven't identified where the socket
[ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
[ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
came from. Can you identify the location?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-10 0:38 ` Tetsuo Handa
@ 2022-04-10 5:39 ` Tetsuo Handa
0 siblings, 0 replies; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-10 5:39 UTC (permalink / raw)
To: Eric Dumazet
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On 2022/04/10 9:38, Tetsuo Handa wrote:
> I haven't identified where the socket
>
> [ 260.295512][ C0] BUG: Trying to access destroyed net=ffff888036278000 sk=ffff88800e2d8000
> [ 260.301941][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
>
> came from. Can you identify the location?
>
It seems that a socket with sk->sk_net_refcnt=0 is created by unshare(CLONE_NEWNET)
------------------------------------------------------------
[ 84.507864][ T2877] sock: sk_alloc(): family=10 net=ffff88800ec88000 sk=ffff888104138c40 sk->sk_net_refcnt=0
[ 84.512117][ T2877] CPU: 0 PID: 2877 Comm: a.out Not tainted 5.17.0-dirty #756
[ 84.515103][ T2877] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 84.518916][ T2877] Call Trace:
[ 84.520346][ T2877] <TASK>
[ 84.521671][ T2877] dump_stack_lvl+0xcd/0x134
[ 84.523633][ T2877] sk_alloc.cold+0x26/0x2b
[ 84.525523][ T2877] inet6_create+0x215/0x840
[ 84.527600][ T2877] __sock_create+0x20e/0x4f0
[ 84.529576][ T2877] rds_tcp_listen_init+0x69/0x1f0
[ 84.531689][ T2877] ? do_raw_spin_unlock+0x50/0xd0
[ 84.533826][ T2877] ? _raw_spin_unlock+0x24/0x40
[ 84.535866][ T2877] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 84.538109][ T2877] ? __register_sysctl_table+0x384/0x6d0
[ 84.540459][ T2877] rds_tcp_init_net+0x154/0x300
[ 84.542512][ T2877] ? rds_tcp_exit+0x1f0/0x1f0
[ 84.544488][ T2877] ops_init+0x4e/0x210
[ 84.546237][ T2877] setup_net+0x22b/0x4a0
[ 84.548075][ T2877] copy_net_ns+0x1a3/0x380
[ 84.550132][ T2877] create_new_namespaces.isra.0+0x187/0x460
[ 84.552740][ T2877] unshare_nsproxy_namespaces+0xa2/0x120
[ 84.555040][ T2877] ksys_unshare+0x2fe/0x640
[ 84.556861][ T2877] __x64_sys_unshare+0x12/0x20
[ 84.558756][ T2877] do_syscall_64+0x35/0xb0
[ 84.561296][ T2877] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 84.563605][ T2877] RIP: 0033:0x7f9030c55e2b
[ 84.565323][ T2877] Code: 73 01 c3 48 8b 0d 65 c0 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 c0 0c 00 f7 d8 64 89 01 48
[ 84.572520][ T2877] RSP: 002b:00007fffddd1ef88 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
[ 84.576338][ T2877] RAX: ffffffffffffffda RBX: 000055c460627880 RCX: 00007f9030c55e2b
[ 84.579952][ T2877] RDX: 00007fffddd1f198 RSI: 00007fffddd1f188 RDI: 0000000040000000
[ 84.583656][ T2877] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f9030d67d50
[ 84.586688][ T2877] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c460627410
[ 84.589682][ T2877] R13: 00007fffddd1f180 R14: 0000000000000000 R15: 0000000000000000
[ 84.593111][ T2877] </TASK>
------------------------------------------------------------
and something creates a new socket by invoking sk_clone_lock().
But since sk->sk_net_refcnt=0, net->ns.count is not incremented when the new socket is created.
------------------------------------------------------------
[ 85.280860][ C0] sock: sk_clone_lock(): sk=ffff888104138c40 net=ffff88800ec88000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 85.286319][ C0] sock: sk_clone_lock(): newsk=ffff888104139880 net=ffff88800ec88000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 85.292668][ C0] CPU: 0 PID: 2877 Comm: a.out Not tainted 5.17.0-dirty #756
[ 85.295870][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 85.299371][ C0] Call Trace:
[ 85.300734][ C0] <IRQ>
[ 85.302049][ C0] dump_stack_lvl+0xcd/0x134
[ 85.303996][ C0] sk_clone_lock.cold+0x37/0x70
[ 85.305959][ C0] inet_csk_clone_lock+0x1f/0x110
[ 85.308022][ C0] tcp_create_openreq_child+0x2c/0x560
[ 85.310198][ C0] tcp_v4_syn_recv_sock+0x73/0x810
[ 85.312460][ C0] tcp_v6_syn_recv_sock+0x9cf/0x1020
[ 85.314549][ C0] ? find_held_lock+0x2b/0x80
[ 85.316714][ C0] ? write_comp_data+0x1c/0x70
[ 85.318581][ C0] ? write_comp_data+0x1c/0x70
[ 85.320685][ C0] ? tcp_parse_options+0xb4/0x660
[ 85.322841][ C0] tcp_check_req+0x31a/0xa60
[ 85.324750][ C0] tcp_v4_rcv+0x150f/0x1de0
[ 85.326518][ C0] ip_protocol_deliver_rcu+0x52/0x630
[ 85.328923][ C0] ip_local_deliver_finish+0xb4/0x1d0
[ 85.331626][ C0] ip_local_deliver+0xa7/0x320
[ 85.333702][ C0] ? ip_protocol_deliver_rcu+0x630/0x630
[ 85.335873][ C0] ip_rcv_finish+0x108/0x170
[ 85.337775][ C0] ip_rcv+0x69/0x2f0
[ 85.339461][ C0] ? ip_rcv_finish_core.isra.0+0xbb0/0xbb0
[ 85.341973][ C0] __netif_receive_skb_one_core+0x6a/0xa0
[ 85.344625][ C0] __netif_receive_skb+0x24/0xa0
[ 85.346637][ C0] process_backlog+0x11d/0x320
[ 85.348778][ C0] __napi_poll+0x3d/0x3e0
[ 85.350974][ C0] net_rx_action+0x34e/0x480
[ 85.353042][ C0] __do_softirq+0xde/0x539
[ 85.354871][ C0] ? sock_setsockopt+0x103/0x19f0
[ 85.356926][ C0] do_softirq+0xb1/0xf0
[ 85.358650][ C0] </IRQ>
[ 85.359962][ C0] <TASK>
[ 85.361518][ C0] __local_bh_enable_ip+0xbf/0xd0
[ 85.364170][ C0] sock_setsockopt+0x103/0x19f0
[ 85.366200][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 85.368309][ C0] __sys_setsockopt+0x2d1/0x330
[ 85.370298][ C0] __x64_sys_setsockopt+0x22/0x30
[ 85.372428][ C0] do_syscall_64+0x35/0xb0
[ 85.374243][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 85.376538][ C0] RIP: 0033:0x7f9030c5677e
[ 85.378474][ C0] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e2 b6 0c 00 f7 d8 64 89 01 48
[ 85.386716][ C0] RSP: 002b:00007fffddd1ef88 EFLAGS: 00000217 ORIG_RAX: 0000000000000036
[ 85.389991][ C0] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f9030c5677e
[ 85.393300][ C0] RDX: 0000000000000032 RSI: 0000000000000001 RDI: 0000000000000004
[ 85.396636][ C0] RBP: 00007fffddd1ef9c R08: 0000000000000004 R09: 0000000000000000
[ 85.399672][ C0] R10: 00007fffddd1ef9c R11: 0000000000000217 R12: 00007fffddd1efa0
[ 85.403298][ C0] R13: 0000000000000003 R14: 00007fffddd1eff0 R15: 0000000000000000
[ 85.406311][ C0] </TASK>
------------------------------------------------------------
Then, when the original socket is close()d and destructed, net->ns.count is decremented.
------------------------------------------------------------
[ 204.164238][ C1] sock: __sk_destruct(): sk=ffff888104138c40 family=10 net=ffff88800ec88000 sk->sk_net_refcnt=0
------------------------------------------------------------
But the cloned socket is still there and TCP retransmit timer fires.
------------------------------------------------------------
[ 224.550620][ C0] BUG: Trying to access destroyed net=ffff88800ec88000 sk=ffff888104139880
[ 224.555669][ C0] sk->sk_family=10 sk->sk_prot_creator->name=TCPv6 sk->sk_state=11 sk->sk_flags=0x30b net->ns.count=0
[ 224.562340][ C0] ------------[ cut here ]------------
[ 224.564697][ C0] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:461 tcp_retransmit_timer.cold+0xdf/0xe6
[ 224.569214][ C0] Modules linked in:
[ 224.571197][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-dirty #756
[ 224.574659][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 224.578719][ C0] RIP: 0010:tcp_retransmit_timer.cold+0xdf/0xe6
[ 224.581467][ C0] Code: 10 48 c7 c7 08 9f ff 83 48 8b 85 a0 03 00 00 44 8b 8b 4c 01 00 00 4c 8b 45 60 0f b6 4d 12 48 8d 90 88 01 00 00 e8 fe 24 f2 ff <0f> 0b e9 9c 40 5f ff e8 49 59 ee fd 41 0f b6 d5 4c 89 e6 48 c7 c7
[ 224.589620][ C0] RSP: 0018:ffffc90000003d90 EFLAGS: 00010286
[ 224.592253][ C0] RAX: 0000000000000063 RBX: ffff88800ec88000 RCX: ffffffff842622c0
[ 224.595621][ C0] RDX: 0000000000000000 RSI: ffffffff842622c0 RDI: 0000000000000002
[ 224.599035][ C0] RBP: ffff888104139880 R08: ffffffff81170398 R09: 0000000000000000
[ 224.602406][ C0] R10: 0000000000000005 R11: 0000000000080000 R12: 0000000000000001
[ 224.605791][ C0] R13: ffff888104139880 R14: ffff888104139918 R15: ffff888104139900
[ 224.609110][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.612767][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.615409][ C0] CR2: 00007f11279aa340 CR3: 000000000d735000 CR4: 00000000000506f0
[ 224.618937][ C0] Call Trace:
[ 224.620480][ C0] <IRQ>
[ 224.621889][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 224.624114][ C0] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 224.626512][ C0] ? ktime_get+0x2d3/0x400
[ 224.628463][ C0] tcp_write_timer_handler+0x257/0x3f0
[ 224.630776][ C0] tcp_write_timer+0x19c/0x240
[ 224.632860][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 224.635251][ C0] call_timer_fn+0xe3/0x4f0
[ 224.637699][ C0] ? tcp_write_timer_handler+0x3f0/0x3f0
[ 224.640055][ C0] run_timer_softirq+0x812/0xac0
[ 224.642270][ C0] __do_softirq+0xde/0x539
[ 224.644238][ C0] irq_exit_rcu+0xb6/0xf0
[ 224.646170][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 224.648543][ C0] </IRQ>
[ 224.650083][ C0] <TASK>
[ 224.651715][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 224.654189][ C0] RIP: 0010:default_idle+0xb/0x10
[ 224.656669][ C0] Code: 00 00 00 75 09 48 83 c4 18 5b 5d 41 5c c3 e8 5c 96 fe ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d e3 08 48 00 fb f4 <c3> 0f 1f 40 00 65 48 8b 04 25 40 af 01 00 f0 80 48 02 20 48 8b 10
[ 224.663980][ C0] RSP: 0018:ffffffff84203e90 EFLAGS: 00000202
[ 224.666737][ C0] RAX: 0000000000030067 RBX: 0000000000000000 RCX: ffffffff842622c0
[ 224.670022][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 224.673311][ C0] RBP: ffffffff842622c0 R08: 0000000000000001 R09: 0000000000000001
[ 224.676957][ C0] R10: 0000000000000001 R11: 0000000000080000 R12: 0000000000000000
[ 224.680232][ C0] R13: ffffffff842622c0 R14: 0000000000000000 R15: 0000000000000000
[ 224.683617][ C0] default_idle_call+0x6a/0x260
[ 224.685750][ C0] do_idle+0x20c/0x260
[ 224.687593][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 224.690199][ C0] cpu_startup_entry+0x14/0x20
[ 224.692248][ C0] start_kernel+0x8f7/0x91e
[ 224.694223][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 224.697014][ C0] </TASK>
------------------------------------------------------------
mptcp_subflow_create_socket() increments net->ns.count and sets
sk->sk_net_refcnt = 1, but e.g. rds_tcp_listen_init() does not?
------------------------------------------------------------
int mptcp_subflow_create_socket(struct sock *sk, struct socket **new_sock)
{
struct mptcp_subflow_context *subflow;
struct net *net = sock_net(sk);
struct socket *sf;
int err;
/* un-accepted server sockets can reach here - on bad configuration
* bail early to avoid greater trouble later
*/
if (unlikely(!sk->sk_socket))
return -EINVAL;
err = sock_create_kern(net, sk->sk_family, SOCK_STREAM, IPPROTO_TCP,
&sf);
if (err)
return err;
lock_sock(sf->sk);
/* the newly created socket has to be in the same cgroup as its parent */
mptcp_attach_cgroup(sk, sf->sk);
/* kernel sockets do not by default acquire net ref, but TCP timer
* needs it.
*/
sf->sk->sk_net_refcnt = 1;
get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
------------------------------------------------------------
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 17:47 ` Eric Dumazet
2022-04-09 17:55 ` Eric Dumazet
@ 2022-04-10 11:36 ` Tetsuo Handa
1 sibling, 0 replies; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-10 11:36 UTC (permalink / raw)
To: Eric Dumazet
Cc: bpf, syzbot, Andrii Nakryiko, Andrii Nakryiko,
Alexei Starovoitov, Daniel Borkmann, David Miller, David Ahern,
John Fastabend, Martin KaFai Lau, KP Singh, Jakub Kicinski,
Alexey Kuznetsov, netdev, Song Liu, syzkaller-bugs, tpa,
Yonghong Song, Hideaki YOSHIFUJI, Linus Torvalds,
Trond Myklebust
On 2022/04/10 2:47, Eric Dumazet wrote:
> So please add to your tree the NFS fix:
>
> commit f00432063db1a0db484e85193eccc6845435b80e
> Author: Trond Myklebust <trond.myklebust@hammerspace.com>
> Date: Sun Apr 3 15:58:11 2022 -0400
>
> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
OK. Since the socket is sk->sk_net_refcnt=0, adding
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index e31cf137c6140f76f838b4a0dcddf9f104ad653b..3dacd202bf2af43c55ffe820c08316150d2018ea
> 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -2928,6 +2928,8 @@ void tcp_close(struct sock *sk, long timeout)
> lock_sock(sk);
> __tcp_close(sk, timeout);
> release_sock(sk);
> + if (!sk->sk_net_refcnt)
> + inet_csk_clear_xmit_timers_sync(sk);
> sock_put(sk);
> }
> EXPORT_SYMBOL(tcp_close);
part indeed helped avoiding use-after-free increment on sock_net(sk).
But it seems to me that __sk_destruct() is forever not called.
----------------------------------------
[ 93.024086][ C1] sock: sk_clone_lock(): sk=ffff888110328000 net=ffff88810efb8000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 93.030257][ C1] sock: sk_clone_lock(): newsk=ffff888110350000 net=ffff88810efb8000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
(...snipped...)
[ 93.170750][ T740] TCP: Calling inet_csk_clear_xmit_timers_sync() on sock=ffff888110350000
(...snipped...)
[ 214.272450][ T8] TCP: Calling inet_csk_clear_xmit_timers_sync() on sock=ffff888110328000
(...snipped...)
[ 214.358528][ C3] sock: __sk_destruct(): sk=ffff888110328000 family=10 net=ffff88810efb8000 sk->sk_net_refcnt=0
----------------------------------------
If I do
- inet_csk_clear_xmit_timers_sync(sk);
+ write_pnet(&sk->sk_net, &init_net);
in this patch (i.e. just avoid use-after-free access), __sk_destruct() is called when timer fires.
----------------------------------------
[ 81.969884][ C0] sock: sk_clone_lock(): sk=ffff8880156f8000 net=ffff8881030d8000 sk->sk_family=10 sk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
[ 81.975329][ C0] sock: sk_clone_lock(): newsk=ffff8880156f8c40 net=ffff8881030d8000 newsk->sk_family=10 newsk->sk_net_refcnt=0 refcount_read(&net->ns.count)=2
(...snipped...)
[ 82.078152][ T735] TCP: Resetting sk->sk_net on sock=ffff8880156f8c40
(...snipped...)
[ 203.937701][ T735] TCP: Resetting sk->sk_net on sock=ffff8880156f8000
(...snipped...)
[ 204.042570][ C1] sock: __sk_destruct(): sk=ffff8880156f8000 family=10 net=ffffffff84588cc0 sk->sk_net_refcnt=0
(...snipped...)
[ 214.124851][ C1] sock: __sk_destruct(): sk=ffff8880156f8c40 family=10 net=ffffffff84588cc0 sk->sk_net_refcnt=0
----------------------------------------
Therefore, I guess that this patch is missing something here.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-09 8:19 ` Tetsuo Handa
2022-04-09 16:46 ` Eric Dumazet
@ 2022-04-22 14:40 ` Tetsuo Handa
2022-04-24 3:57 ` Tetsuo Handa
1 sibling, 1 reply; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-22 14:40 UTC (permalink / raw)
To: Santosh Shilimkar, OFED mailing list
Cc: syzbot, andrii, andriin, ast, daniel, davem, dsahern, edumazet,
john.fastabend, kafai, kpsingh, kuba, kuznet, netdev,
songliubraving, syzkaller-bugs, tpa, yhs, yoshfuji, bpf
Hello, RDS developers.
I was thinking that BPF program is relevant with the TCP/IPv6 socket triggering
use-after-free access. But disassembling syzkaller-generated BPF program concluded
that what "char program[2053]" is doing is not important
( https://lkml.kernel.org/r/d21e278f-a3ff-8603-f6ba-b51a8cddafa8@I-love.SAKURA.ne.jp ).
Then, I realized that TCP/IPv6 port 16385 (which the reproducer is accessing) is
used by kernel RDS server, which can explain
"It seems that a socket with sk->sk_net_refcnt=0 is created by unshare(CLONE_NEWNET)"
at https://lkml.kernel.org/r/fa445f0e-32b7-5e0d-9326-94bc5adba4c1@I-love.SAKURA.ne.jp
because the kernel RDS server starts during boot procedure.
------------------------------------------------------------
root@fuzz:~# unshare -n netstat -tanpe
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp6 0 0 :::16385 :::* LISTEN 0 19627 -
------------------------------------------------------------
With the debug printk() patch shown below,
------------------------------------------------------------
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 0ec2f5906a27..20b3c42b4140 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -429,7 +429,8 @@ static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
+ memset(net, POISON_FREE, sizeof(struct net));
+ //kmem_cache_free(net_cachep, net);
}
}
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 09cadd556d1e..5792fe3df8ac 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -146,10 +146,9 @@ int rds_tcp_accept_one(struct socket *sock)
my_addr = &saddr;
peer_addr = &daddr;
#endif
- rdsdebug("accepted family %d tcp %pI6c:%u -> %pI6c:%u\n",
- sock->sk->sk_family,
- my_addr, ntohs(inet->inet_sport),
- peer_addr, ntohs(inet->inet_dport));
+ pr_info("accepted family %d tcp %pI6c:%u -> %pI6c:%u refcnt=%d sock_net=%px init_net=%px\n",
+ sock->sk->sk_family, my_addr, ntohs(inet->inet_sport), peer_addr,
+ ntohs(inet->inet_dport), sock->sk->sk_net_refcnt, sock_net(sock->sk), &init_net);
#if IS_ENABLED(CONFIG_IPV6)
/* sk_bound_dev_if is not set if the peer address is not link local
------------------------------------------------------------
I get
accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:33086 refcnt=0 sock_net=ffffffff860d89c0 init_net=ffffffff860d89c0
if I do
# echo > /dev/tcp/127.0.0.1/16385
from init_net namespace, and I get
accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:33088 refcnt=0 sock_net=ffff88810a208000 init_net=ffffffff860d89c0
if I do
# echo > /dev/tcp/127.0.0.1/16385
from non-init_net namespace. Note that sock->sk->sk_net_refcnt is 0 in both cases.
Like commit 2303f994b3e18709 ("mptcp: Associate MPTCP context with TCP socket") says
/* kernel sockets do not by default acquire net ref, but TCP timer
* needs it.
*/
, I came to feel that e.g. rds_tcp_accept_one() is accessing sock_net(sock->sk) on
accepted sockets with sock->sk->sk_net_refcnt=0 (because the listening socket was
created by kernel) is causing this problem. Why not rds kernel server does
sock->sk->sk_net_refcnt = 1;
get_net_track(net, &sock->sk->ns_tracker, GFP_KERNEL);
sock_inuse_add(net, 1);
on accepted sockets like mptcp_subflow_create_socket() does?
For your testing, below is the latest reproducer.
You can try this reproducer with keep-memory-poisoned patch shown above.
------------------------------------------------------------
// https://syzkaller.appspot.com/bug?id=8f0e04b2beffcd42f044d46879cc224f6eb71a99
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#ifndef MSG_PROBE
#define MSG_PROBE 0x10
#endif
struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};
static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size)
{
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0)
memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}
static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
int* reply_len, bool dofail)
{
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail)
exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len)
*reply_len = 0;
if (n < 0) {
if (dofail)
exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE)
return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}
static int netlink_send(struct nlmsg* nlmsg, int sock)
{
return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}
static void netlink_device_change(int sock, const char* name, const void* mac, int macsize)
{
struct nlmsg nlmsg;
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
hdr.ifi_index = if_nametoindex(name);
netlink_init(&nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(&nlmsg, IFLA_ADDRESS, mac, macsize);
netlink_send(&nlmsg, sock);
}
static void netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize)
{
struct nlmsg nlmsg;
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(&nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
sizeof(hdr));
netlink_attr(&nlmsg, IFA_LOCAL, addr, addrsize);
netlink_attr(&nlmsg, IFA_ADDRESS, addr, addrsize);
netlink_send(&nlmsg, sock);
}
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
}
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
}
static void initialize_netdevices(void)
{
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
uint64_t macaddr = 0x00aaaaaaaaaa;
if (fd == EOF)
exit(1);
netlink_add_addr4(fd, "lo", "127.0.0.1");
netlink_add_addr6(fd, "lo", "::1");
netlink_device_change(fd, "lo", &macaddr, ETH_ALEN);
close(fd);
}
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static void execute_one(void)
{
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 2,
.insns = (unsigned long long) "\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
.license = (unsigned long long) "GPL",
};
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = htons(0x4001), /* where kernel RDS TCPv6 socket is listening */
.sin_addr.s_addr = inet_addr("127.0.0.1")
};
const struct msghdr msg = {
.msg_name = &addr,
.msg_namelen = sizeof(addr),
};
const int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, 72);
const int sock_fd = socket(PF_INET, SOCK_STREAM, 0);
alarm(3);
while (1) {
sendmsg(sock_fd, &msg, MSG_OOB | MSG_PROBE | MSG_CONFIRM | MSG_FASTOPEN);
setsockopt(sock_fd, SOL_SOCKET, SO_ATTACH_BPF, &bpf_fd, sizeof(bpf_fd));
}
}
int main(int argc, char *argv[])
{
if (unshare(CLONE_NEWNET))
return 1;
initialize_netdevices();
execute_one();
return 0;
}
------------------------------------------------------------
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
2022-04-22 14:40 ` Tetsuo Handa
@ 2022-04-24 3:57 ` Tetsuo Handa
0 siblings, 0 replies; 11+ messages in thread
From: Tetsuo Handa @ 2022-04-24 3:57 UTC (permalink / raw)
To: Santosh Shilimkar, OFED mailing list
Cc: syzbot, andrii, andriin, ast, daniel, davem, dsahern, edumazet,
john.fastabend, kafai, kpsingh, kuba, kuznet, netdev,
songliubraving, syzkaller-bugs, tpa, yhs, yoshfuji, bpf
OK. I succeeded to reproduce this problem without BPF program.
Just dropping TCP packets is sufficient. That is, this bug should be fixed in RDS code.
------------------------------------------------------------
root@fuzz:~# unshare -n sh -c '
ip link set lo up
iptables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
ip6tables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
telnet 127.0.0.1 16385
dmesg -c
netstat -tanpe' < /dev/null
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[ 54.922280] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 1 127.0.0.1:58780 127.0.0.1:16385 FIN_WAIT1 0 0 -
tcp6 0 0 :::16385 :::* LISTEN 0 18301 -
tcp6 1 1 127.0.0.1:16385 127.0.0.1:58780 LAST_ACK 0 0 -
------------------------------------------------------------
------------------------------------------------------------
fuzz login: [ 54.849128][ T2718] ip (2718) used greatest stack depth: 11192 bytes left
[ 54.922280][ T764] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
[ 224.330990][ C0] general protection fault, probably for non-canonical address 0x6b6af3ebe92b6bc3: 0000 [#1] PREEMPT SMP
[ 224.344491][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc3-00016-gb253435746d9-dirty #767
[ 224.355974][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 224.361184][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.364559][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.375318][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.378682][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.383253][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.387171][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.389612][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.392646][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.395626][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.398662][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.400880][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.403964][ C0] Call Trace:
[ 224.405212][ C0] <IRQ>
[ 224.406355][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.408259][ C0] tcp_write_wakeup+0x112/0x160
[ 224.409932][ C0] ? ktime_get+0x1cb/0x260
[ 224.411636][ C0] tcp_send_probe0+0x13/0x150
[ 224.413393][ C0] tcp_write_timer_handler+0x248/0x280
[ 224.415433][ C0] tcp_write_timer+0xa5/0x110
[ 224.417040][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.419142][ C0] call_timer_fn+0xa6/0x300
[ 224.420949][ C0] __run_timers.part.0+0x209/0x320
[ 224.422915][ C0] run_timer_softirq+0x2c/0x60
[ 224.424791][ C0] __do_softirq+0x174/0x53f
[ 224.426462][ C0] __irq_exit_rcu+0xcb/0x120
[ 224.428188][ C0] irq_exit_rcu+0x5/0x20
[ 224.430176][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 224.432301][ C0] </IRQ>
[ 224.433394][ C0] <TASK>
[ 224.434514][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 224.436500][ C0] RIP: 0010:default_idle+0xb/0x10
[ 224.438220][ C0] Code: 8b 04 25 40 af 01 00 f0 80 60 02 df c3 0f ae f0 0f ae 38 0f ae f0 eb b9 0f 1f 80 00 00 00 00 eb 07 0f 00 2d e3 b6 56 00 fb f4 <c3> cc cc cc cc 53 48 89 fb e8 67 fb fe ff 48 8b 15 a0 91 4e 02 89
[ 224.444865][ C0] RSP: 0018:ffffffff83e03ea8 EFLAGS: 00000202
[ 224.447077][ C0] RAX: 00000000000223b5 RBX: ffffffff83e61a00 RCX: 0000000000000001
[ 224.449957][ C0] RDX: 0000000000000000 RSI: ffffffff832e9bf1 RDI: ffffffff83246666
[ 224.452916][ C0] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
[ 224.455677][ C0] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[ 224.458458][ C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 224.461642][ C0] default_idle_call+0x54/0x90
[ 224.463888][ C0] do_idle+0x1f3/0x240
[ 224.465531][ C0] cpu_startup_entry+0x14/0x20
[ 224.467193][ C0] start_kernel+0x69c/0x6c1
[ 224.469040][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 224.471179][ C0] </TASK>
[ 224.472438][ C0] Modules linked in:
[ 224.474387][ C0] ---[ end trace 0000000000000000 ]---
[ 224.476521][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.478893][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.485948][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.488110][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.491186][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.494378][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.497576][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.500600][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.503814][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.507136][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.509421][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.512699][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 224.515847][ C0] Kernel Offset: disabled
[ 224.517636][ C0] Rebooting in 10 seconds..
------------------------------------------------------------
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-04-24 3:57 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-24 7:40 KASAN: use-after-free Read in tcp_retransmit_timer (5) syzbot
2021-12-22 11:00 ` [syzbot] " syzbot
2022-04-09 8:19 ` Tetsuo Handa
2022-04-09 16:46 ` Eric Dumazet
2022-04-09 17:47 ` Eric Dumazet
2022-04-09 17:55 ` Eric Dumazet
2022-04-10 0:38 ` Tetsuo Handa
2022-04-10 5:39 ` Tetsuo Handa
2022-04-10 11:36 ` Tetsuo Handa
2022-04-22 14:40 ` Tetsuo Handa
2022-04-24 3:57 ` Tetsuo Handa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).