2227000 – use after free established_get_first.isra.43+0x9f

Bug 2227000 - use after free established_get_first.isra.43+0x9f [NEEDINFO]

Summary: use after free established_get_first.isra.43+0x9f

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Networking Services Kernel Team bug triage
QA Contact:	xmu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-27 10:40 UTC by rtulchii
Modified:	2023-07-27 16:12 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pabeni: needinfo? (rtulchii)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-163676	0	None	None	None	2023-07-27 10:42:08 UTC

Description rtulchii 2023-07-27 10:40:13 UTC

Description of problem:
The crash occures in net/ipv4/tcp_ipv4.c:2269 in the function established_get_first(struct seq_file *seq) : in the tcp_hashinfo sits pointer to sk_nulls_node which leads to already nonexistent socket. 

dmesg content:

[244019.741040] sh (1274115): drop_caches: 3
[244194.019301] BUG: unable to handle kernel paging request at ffff965e91a6a5e0
[244194.020210] PGD 0 P4D 0 
[244194.020417] Oops: 0000 [#1] SMP NOPTI
[244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1
[244194.020743] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[244194.020940] RIP: 0010:established_get_first.isra.43+0x9f/0xe0
[244194.021080] Code: bb de 64 02 4c 8d 2c 90 4c 89 ef e8 9b c4 10 00 48 63 53 20 48 8b 45 00 48 8b 14 d0 f6 c2 01 75 1d 41 0f b7 0e 66 85 c9 74 06 <66> 39 4a a8 75 06 4c 3b 62 c8 74 12 48 8b 12 f6 c2 01 74 e7 4c 89
[244194.021396] RSP: 0018:ffffbf438ad47e08 EFLAGS: 00010202
[244194.021506] RAX: ffffbf43869a2000 RBX: ffff9c9053ce6e00 RCX: 0000000000000002
[244194.021608] RDX: ffff965e91a6a638 RSI: ffffbf43869a2000 RDI: ffff9c904781ce78
[244194.021707] RBP: ffffffffa9b32f00 R08: 0000000000001000 R09: 0000000000000834
[244194.021858] R10: 000000000000000f R11: ffff9c9095747820 R12: ffffffffa8930bc0
[244194.021963] R13: ffff9c904781ce78 R14: ffffffffa8947fa0 R15: ffff9c9054189500
[244194.022153] FS:  00007f3a300e1040(0000) GS:ffff9c9e43b80000(0000) knlGS:0000000000000000
[244194.022283] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[244194.022401] CR2: ffff965e91a6a5e0 CR3: 000000022ae68000 CR4: 0000000000350ee0
[244194.022518] Call Trace:
[244194.022993]  tcp_seq_next+0x45/0x90
[244194.023187]  seq_read+0x2ad/0x420
[244194.023571]  proc_reg_read+0x39/0x60
[244194.023922]  vfs_read+0x91/0x150
[244194.024047]  ksys_read+0x4f/0xb0
[244194.024171]  do_syscall_64+0x5b/0x1b0
[244194.024304]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[244194.024445] RIP: 0033:0x7f3a2f9f0b25
[244194.024576] Code: fe ff ff 50 48 8d 3d 0a c9 06 00 e8 25 ee 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 f5 4b 2a 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[244194.024808] RSP: 002b:00007ffd260ba688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[244194.024967] RAX: ffffffffffffffda RBX: 0000561ea39e42a0 RCX: 00007f3a2f9f0b25
[244194.025093] RDX: 0000000000001000 RSI: 0000561ea39eaeb0 RDI: 0000000000000003
[244194.025194] RBP: 0000000000000d68 R08: 0000000000000001 R09: 0000000000000000
[244194.025333] R10: 00007f3a300e1040 R11: 0000000000000246 R12: 00007f3a2fc8c860
[244194.025458] R13: 00007f3a2fc8d3a0 R14: 0000000000001fff R15: 0000561ea39e42a0
[244194.025629] Modules linked in: tcp_diag inet_diag fuse vfat msdos fat dm_mod xt_REDIRECT xt_owner xt_conntrack ipt_REJECT nf_reject_ipv4 kcare(OE) nft_chain_nat xt_nat nf_nat xt_set xt_multiport ip6t_REJECT nf_reject_ipv6 xt_NFLOG nft_compat ip_set_bitmap_port ip_set_list_set ip_set_hash_net ip_set kmodlve(O) xfs netconsole nft_ct nf_conntrack intel_rapl_msr nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_common nfnetlink_log loop nft_counter amd_energy crct10dif_pclmul crc32_pclmul nf_tables ghash_clmulni_intel libcrc32c joydev nfnetlink pcspkr i2c_piix4 virtio_balloon sunrpc ext4 mbcache jbd2 sd_mod t10_pi sg ata_generic bochs drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helper virtio_net ata_piix ttm net_failover libata drm crc32c_intel virtio_scsi serio_raw failover
[244194.030215] kmodlve srcversion: C9064AFBF5F28A36F0CDBB2
[244194.030220] CR2: ffff965e91a6a5e0

Version-Release number of selected component (if applicable):
4.18.0-425.10.1.el8

How reproducible:
Not reproducible

Comment 1 Paolo Abeni 2023-07-27 16:12:48 UTC

(In reply to rtulchii from comment #0)
> [244194.020534] CPU: 7 PID: 1274706 Comm: netstat Kdump: loaded Tainted: G  
> OE    --------- -  - 4.18.0-425.10.1.lve.el8.x86_64 #1

The kernel is tainted with out-of-tree, unsigned, proprietary module. Can you reproduce/observe again the issue with an untainted kernel?

Otherwise can't investigate the problem.

Note You need to log in before you can comment on or make changes to this bug.