====================================== | xx__-> [ 2076.939873][T18987] ================================================================== | [2076.940264][T18987] BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) | [ 2076.940556][T18987] Read of size 4 at addr ffff88801637d998 by task socat/18987 | [ 2076.940850][T18987] [ 2076.940967][T18987] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 2076.940969][T18987] Call Trace: [ 2076.940971][T18987] [2076.940972][T18987] dump_stack_lvl (lib/dump_stack.c:123) [2076.940979][T18987] print_address_description.constprop.0 (mm/kasan/report.c:409) [2076.940985][T18987] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) [2076.940988][T18987] print_report (mm/kasan/report.c:522) [2076.940991][T18987] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) [2076.940993][T18987] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) [2076.940998][T18987] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) [2076.941001][T18987] kasan_report (mm/kasan/report.c:636) [2076.941004][T18987] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) [2076.941009][T18987] tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) [2076.941015][T18987] tcp_try_rmem_schedule (./include/linux/instrumented.h:68 ./include/linux/atomic/atomic-instrumented.h:32 net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5577 net/ipv4/tcp_input.c:4907) [2076.941022][T18987] tcp_data_queue (net/ipv4/tcp_input.c:5192) [2076.941029][T18987] ? __pfx_tcp_data_queue (net/ipv4/tcp_input.c:5145) [2076.941033][T18987] ? kvm_clock_get_cycles (./arch/x86/include/asm/preempt.h:95 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86) [2076.941038][T18987] ? ktime_get (kernel/time/timekeeping.c:251 (discriminator 4) kernel/time/timekeeping.c:360 (discriminator 4) kernel/time/timekeeping.c:778 (discriminator 4)) [2076.941043][T18987] tcp_rcv_established (./include/linux/skbuff.h:2148 ./include/net/tcp.h:2089 ./include/net/tcp.h:2170 net/ipv4/tcp_input.c:5662 net/ipv4/tcp_input.c:6210) [2076.941048][T18987] ? find_held_lock (kernel/locking/lockdep.c:5353) [2076.941053][T18987] ? __pfx_tcp_rcv_established (net/ipv4/tcp_input.c:6027) [2076.941057][T18987] ? ipv4_dst_check (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 net/ipv4/route.c:401 net/ipv4/route.c:1216) [2076.941063][T18987] tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1972) [2076.941067][T18987] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) [2076.941072][T18987] __release_sock (./include/net/sock.h:1148 net/core/sock.c:3188) [2076.941080][T18987] release_sock (net/core/sock.c:3744) [2076.941083][T18987] tcp_recvmsg (net/ipv4/tcp.c:2908) [2076.941088][T18987] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) [2076.941092][T18987] ? __pfx_tcp_recvmsg (net/ipv4/tcp.c:2892) [2076.941096][T18987] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) [2076.941100][T18987] ? __mutex_unlock_slowpath (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4329 ./include/linux/atomic/atomic-long.h:1506 ./include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:926) [2076.941105][T18987] ? __pfx___mutex_unlock_slowpath (kernel/locking/mutex.c:903) [2076.941110][T18987] inet_recvmsg (net/ipv4/af_inet.c:885 (discriminator 8)) [2076.941114][T18987] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) [2076.941118][T18987] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) [2076.941122][T18987] sock_read_iter (net/socket.c:1065 net/socket.c:1087 net/socket.c:1157) [2076.941128][T18987] ? __pfx___unix_dgram_recvmsg (net/unix/af_unix.c:2554) [2076.941131][T18987] ? __pfx_sock_read_iter (net/socket.c:1141) [2076.941141][T18987] vfs_read (fs/read_write.c:491 fs/read_write.c:572) [2076.941145][T18987] ? __pfx___sys_recvfrom (net/socket.c:2255) [2076.941149][T18987] ? __pfx_vfs_read (fs/read_write.c:553) [2076.941155][T18987] ? __rseq_handle_notify_resume (kernel/rseq.c:442) [2076.941163][T18987] ksys_read (fs/read_write.c:715) [2076.941166][T18987] ? __pfx_ksys_read (fs/read_write.c:705) [2076.941172][T18987] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [2076.941178][T18987] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 2076.941181][T18987] RIP: 0033:0x7fc562e02292 [ 2076.941185][T18987] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 6a 15 0c 00 e8 65 e1 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 All code ======== 0: c0 e9 b2 shr $0xb2,%cl 3: fe (bad) 4: ff (bad) 5: ff 50 48 call *0x48(%rax) 8: 8d 3d 6a 15 0c 00 lea 0xc156a(%rip),%edi # 0xc1578 e: e8 65 e1 01 00 call 0x1e178 13: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 18: f3 0f 1e fa endbr64 1c: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 23: 00 24: 85 c0 test %eax,%eax 26: 75 10 jne 0x38 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 56 ja 0x88 32: c3 ret 33: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 38: 48 83 ec 28 sub $0x28,%rsp 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 54 push %rsp 3f: 24 .byte 0x24 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 56 ja 0x5e 8: c3 ret 9: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) e: 48 83 ec 28 sub $0x28,%rsp 12: 48 rex.W 13: 89 .byte 0x89 14: 54 push %rsp 15: 24 .byte 0x24 [ 2076.941188][T18987] RSP: 002b:00007fffc8fe63c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 2076.941192][T18987] RAX: ffffffffffffffda RBX: 000056451c947560 RCX: 00007fc562e02292 [ 2076.941194][T18987] RDX: 0000000000002000 RSI: 000056451c949000 RDI: 0000000000000008 [ 2076.941196][T18987] RBP: 000056451c949000 R08: 0000000000002000 R09: 0000000000000000 [ 2076.941198][T18987] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000008 Finger prints: print_report:kasan_report:tcp_prune_ofo_queue:tcp_try_rmem_schedule:tcp_data_queue