Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2227000

Summary: use after free established_get_first.isra.43+0x9f
Product: Red Hat Enterprise Linux 8 Reporter: rtulchii
Component: kernelAssignee: Networking Services Kernel Team bug triage <nst-kernel-bugs>
kernel sub component: tcp QA Contact: xmu
Status: CLOSED WONTFIX Docs Contact:
Severity: unspecified    
Priority: unspecified CC: jiji, mleitner, network-qe, pabeni
Version: 8.7Flags: pm-rhel: mirror+
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-27 07:28:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rtulchii 2023-07-27 10:40:13 UTC 
Description of problem:
The crash occures in net/ipv4/tcp_ipv4.c:2269 in the function established_get_first(struct seq_file *seq) : in the tcp_hashinfo sits pointer to sk_nulls_node which leads to already nonexistent socket. 

dmesg content:

[244019.741040] sh (1274115): drop_caches: 3
[244194.019301] BUG: unable to handle kernel paging request at ffff965e91a6a5e0
[244194.020210] PGD 0 P4D 0 
[244194.020417] Oops: 0000 [#1] SMP NOPTI
[244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1
[244194.020743] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[244194.020940] RIP: 0010:established_get_first.isra.43+0x9f/0xe0
[244194.021080] Code: bb de 64 02 4c 8d 2c 90 4c 89 ef e8 9b c4 10 00 48 63 53 20 48 8b 45 00 48 8b 14 d0 f6 c2 01 75 1d 41 0f b7 0e 66 85 c9 74 06 <66> 39 4a a8 75 06 4c 3b 62 c8 74 12 48 8b 12 f6 c2 01 74 e7 4c 89
[244194.021396] RSP: 0018:ffffbf438ad47e08 EFLAGS: 00010202
[244194.021506] RAX: ffffbf43869a2000 RBX: ffff9c9053ce6e00 RCX: 0000000000000002
[244194.021608] RDX: ffff965e91a6a638 RSI: ffffbf43869a2000 RDI: ffff9c904781ce78
[244194.021707] RBP: ffffffffa9b32f00 R08: 0000000000001000 R09: 0000000000000834
[244194.021858] R10: 000000000000000f R11: ffff9c9095747820 R12: ffffffffa8930bc0
[244194.021963] R13: ffff9c904781ce78 R14: ffffffffa8947fa0 R15: ffff9c9054189500
[244194.022153] FS:  00007f3a300e1040(0000) GS:ffff9c9e43b80000(0000) knlGS:0000000000000000
[244194.022283] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[244194.022401] CR2: ffff965e91a6a5e0 CR3: 000000022ae68000 CR4: 0000000000350ee0
[244194.022518] Call Trace:
[244194.022993]  tcp_seq_next+0x45/0x90
[244194.023187]  seq_read+0x2ad/0x420
[244194.023571]  proc_reg_read+0x39/0x60
[244194.023922]  vfs_read+0x91/0x150
[244194.024047]  ksys_read+0x4f/0xb0
[244194.024171]  do_syscall_64+0x5b/0x1b0
[244194.024304]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[244194.024445] RIP: 0033:0x7f3a2f9f0b25
[244194.024576] Code: fe ff ff 50 48 8d 3d 0a c9 06 00 e8 25 ee 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 f5 4b 2a 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[244194.024808] RSP: 002b:00007ffd260ba688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[244194.024967] RAX: ffffffffffffffda RBX: 0000561ea39e42a0 RCX: 00007f3a2f9f0b25
[244194.025093] RDX: 0000000000001000 RSI: 0000561ea39eaeb0 RDI: 0000000000000003
[244194.025194] RBP: 0000000000000d68 R08: 0000000000000001 R09: 0000000000000000
[244194.025333] R10: 00007f3a300e1040 R11: 0000000000000246 R12: 00007f3a2fc8c860
[244194.025458] R13: 00007f3a2fc8d3a0 R14: 0000000000001fff R15: 0000561ea39e42a0
[244194.025629] Modules linked in: tcp_diag inet_diag fuse vfat msdos fat dm_mod xt_REDIRECT xt_owner xt_conntrack ipt_REJECT nf_reject_ipv4 kcare(OE) nft_chain_nat xt_nat nf_nat xt_set xt_multiport ip6t_REJECT nf_reject_ipv6 xt_NFLOG nft_compat ip_set_bitmap_port ip_set_list_set ip_set_hash_net ip_set kmodlve(O) xfs netconsole nft_ct nf_conntrack intel_rapl_msr nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_common nfnetlink_log loop nft_counter amd_energy crct10dif_pclmul crc32_pclmul nf_tables ghash_clmulni_intel libcrc32c joydev nfnetlink pcspkr i2c_piix4 virtio_balloon sunrpc ext4 mbcache jbd2 sd_mod t10_pi sg ata_generic bochs drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helper virtio_net ata_piix ttm net_failover libata drm crc32c_intel virtio_scsi serio_raw failover
[244194.030215] kmodlve srcversion: C9064AFBF5F28A36F0CDBB2
[244194.030220] CR2: ffff965e91a6a5e0

Version-Release number of selected component (if applicable):
4.18.0-425.10.1.el8

How reproducible:
Not reproducible
Comment 1 Paolo Abeni 2023-07-27 16:12:48 UTC 
(In reply to rtulchii from comment #0)
> [244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G  
> OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1

The kernel is tainted with out-of-tree, unsigned, proprietary module. Can you reproduce/observe again the issue with an untainted kernel?

Otherwise can't investigate the problem.
Comment 3 RHEL Program Management 2023-08-27 07:28:09 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 4 Red Hat Bugzilla 2023-12-26 04:25:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days