Bug 2227000

Summary: use after free established_get_first.isra.43+0x9f
Product: Red Hat Enterprise Linux 8 Reporter: rtulchii
Component: kernelAssignee: Networking Services Kernel Team bug triage <nst-kernel-bugs>
kernel sub component: tcp QA Contact: xmu
Status: NEW --- Docs Contact:
Severity: unspecified    
Priority: unspecified CC: jiji, network-qe, pabeni
Version: 8.7Flags: pabeni: needinfo? (rtulchii)
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rtulchii 2023-07-27 10:40:13 UTC 
Description of problem:
The crash occures in net/ipv4/tcp_ipv4.c:2269 in the function established_get_first(struct seq_file *seq) : in the tcp_hashinfo sits pointer to sk_nulls_node which leads to already nonexistent socket. 

dmesg content:

[244019.741040] sh (1274115): drop_caches: 3
[244194.019301] BUG: unable to handle kernel paging request at ffff965e91a6a5e0
[244194.020210] PGD 0 P4D 0 
[244194.020417] Oops: 0000 [#1] SMP NOPTI
[244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1
[244194.020743] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[244194.020940] RIP: 0010:established_get_first.isra.43+0x9f/0xe0
[244194.021080] Code: bb de 64 02 4c 8d 2c 90 4c 89 ef e8 9b c4 10 00 48 63 53 20 48 8b 45 00 48 8b 14 d0 f6 c2 01 75 1d 41 0f b7 0e 66 85 c9 74 06 <66> 39 4a a8 75 06 4c 3b 62 c8 74 12 48 8b 12 f6 c2 01 74 e7 4c 89
[244194.021396] RSP: 0018:ffffbf438ad47e08 EFLAGS: 00010202
[244194.021506] RAX: ffffbf43869a2000 RBX: ffff9c9053ce6e00 RCX: 0000000000000002
[244194.021608] RDX: ffff965e91a6a638 RSI: ffffbf43869a2000 RDI: ffff9c904781ce78
[244194.021707] RBP: ffffffffa9b32f00 R08: 0000000000001000 R09: 0000000000000834
[244194.021858] R10: 000000000000000f R11: ffff9c9095747820 R12: ffffffffa8930bc0
[244194.021963] R13: ffff9c904781ce78 R14: ffffffffa8947fa0 R15: ffff9c9054189500
[244194.022153] FS:  00007f3a300e1040(0000) GS:ffff9c9e43b80000(0000) knlGS:0000000000000000
[244194.022283] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[244194.022401] CR2: ffff965e91a6a5e0 CR3: 000000022ae68000 CR4: 0000000000350ee0
[244194.022518] Call Trace:
[244194.022993]  tcp_seq_next+0x45/0x90
[244194.023187]  seq_read+0x2ad/0x420
[244194.023571]  proc_reg_read+0x39/0x60
[244194.023922]  vfs_read+0x91/0x150
[244194.024047]  ksys_read+0x4f/0xb0
[244194.024171]  do_syscall_64+0x5b/0x1b0
[244194.024304]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[244194.024445] RIP: 0033:0x7f3a2f9f0b25
[244194.024576] Code: fe ff ff 50 48 8d 3d 0a c9 06 00 e8 25 ee 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 f5 4b 2a 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[244194.024808] RSP: 002b:00007ffd260ba688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[244194.024967] RAX: ffffffffffffffda RBX: 0000561ea39e42a0 RCX: 00007f3a2f9f0b25
[244194.025093] RDX: 0000000000001000 RSI: 0000561ea39eaeb0 RDI: 0000000000000003
[244194.025194] RBP: 0000000000000d68 R08: 0000000000000001 R09: 0000000000000000
[244194.025333] R10: 00007f3a300e1040 R11: 0000000000000246 R12: 00007f3a2fc8c860
[244194.025458] R13: 00007f3a2fc8d3a0 R14: 0000000000001fff R15: 0000561ea39e42a0
[244194.025629] Modules linked in: tcp_diag inet_diag fuse vfat msdos fat dm_mod xt_REDIRECT xt_owner xt_conntrack ipt_REJECT nf_reject_ipv4 kcare(OE) nft_chain_nat xt_nat nf_nat xt_set xt_multiport ip6t_REJECT nf_reject_ipv6 xt_NFLOG nft_compat ip_set_bitmap_port ip_set_list_set ip_set_hash_net ip_set kmodlve(O) xfs netconsole nft_ct nf_conntrack intel_rapl_msr nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_common nfnetlink_log loop nft_counter amd_energy crct10dif_pclmul crc32_pclmul nf_tables ghash_clmulni_intel libcrc32c joydev nfnetlink pcspkr i2c_piix4 virtio_balloon sunrpc ext4 mbcache jbd2 sd_mod t10_pi sg ata_generic bochs drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helper virtio_net ata_piix ttm net_failover libata drm crc32c_intel virtio_scsi serio_raw failover
[244194.030215] kmodlve srcversion: C9064AFBF5F28A36F0CDBB2
[244194.030220] CR2: ffff965e91a6a5e0

Version-Release number of selected component (if applicable):
4.18.0-425.10.1.el8

How reproducible:
Not reproducible
Comment 1 Paolo Abeni 2023-07-27 16:12:48 UTC 
(In reply to rtulchii from comment #0)
> [244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G  
> OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1

The kernel is tainted with out-of-tree, unsigned, proprietary module. Can you reproduce/observe again the issue with an untainted kernel?

Otherwise can't investigate the problem.