[syzkaller] KASAN: slab-use-after-free Read in __inet6_lookup_established

[cpaasch]

syzkaller-id: 98386060493b95dc590bcdc62ba9e5b17f6068f1

HEAD: f60fb4a

Trace:

==================================================================
BUG: KASAN: slab-use-after-free in __inet6_lookup_established+0x5f9/0xdb0 net/ipv6/inet6_hashtables.c:70
Read of size 4 at addr ffff888109b2c008 by task kworker/2:1/78

CPU: 2 PID: 78 Comm: kworker/2:1 Not tainted 6.9.0-gf60fb4acdbea #58
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x14f/0x1e0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x165/0x550 mm/kasan/report.c:488
 kasan_report+0xc4/0x100 mm/kasan/report.c:601
 __inet6_lookup_established+0x5f9/0xdb0 net/ipv6/inet6_hashtables.c:70
 __inet6_lookup include/net/inet6_hashtables.h:95 [inline]
 __inet6_lookup_skb include/net/inet6_hashtables.h:164 [inline]
 tcp_v6_rcv+0xe1c/0x3050 net/ipv6/tcp_ipv6.c:1792
 ip6_protocol_deliver_rcu+0xe84/0x1cb0 net/ipv6/ip6_input.c:438
 ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:492
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ipv6_rcv+0xef/0x2c0 net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5624 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5738
 process_backlog+0x368/0x6f0 net/core/dev.c:6067
 __napi_poll+0xc6/0x5b0 net/core/dev.c:6721
 napi_poll net/core/dev.c:6790 [inline]
 net_rx_action+0x6cd/0x1080 net/core/dev.c:6906
8021q: adding VLAN 0 to HW filter on device batadv0
 handle_softirqs+0x183/0x520 kernel/softirq.c:554
 do_softirq+0xdd/0x130 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x7b/0x80 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline]
 __dev_queue_xmit+0x141b/0x3610 net/core/dev.c:4420
 dev_queue_xmit include/linux/netdevice.h:3095 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip6_finish_output2+0x106e/0x1900 net/ipv6/ip6_output.c:137
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1fb/0x520 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_xmit+0xd67/0x1920 net/ipv6/ip6_output.c:358
 inet6_csk_xmit+0x2df/0x460 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x1dd0/0x36f0 net/ipv4/tcp_output.c:1466
 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
 tcp_write_xmit+0x1957/0x6e70 net/ipv4/tcp_output.c:2829
 __tcp_push_pending_frames net/ipv4/tcp_output.c:3014 [inline]
 tcp_send_fin+0x71e/0xe50 net/ipv4/tcp_output.c:3618
 __tcp_close+0xd94/0x1a10 net/ipv4/tcp.c:2861
 __mptcp_close_ssk+0x426/0x1450 net/mptcp/protocol.c:2469
 mptcp_destroy_common+0x15b/0x600 net/mptcp/protocol.c:3363
 mptcp_destroy+0x86/0x120 net/mptcp/protocol.c:3388
 __mptcp_destroy_sock+0x139/0x3b0 net/mptcp/protocol.c:3008
 mptcp_worker+0xd8f/0x1850 net/mptcp/protocol.c:2763
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0x77d/0x1020 kernel/workqueue.c:3312
 worker_thread+0xbed/0x1230 kernel/workqueue.c:3393
 kthread+0x2be/0x350 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5175:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x30/0x70 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x9d/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4039 [inline]
 __kmalloc+0x1ed/0x480 mm/slub.c:4052
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0xac/0x200 net/core/sock.c:2080
 sk_clone_lock+0x55/0x1090 net/core/sock.c:2284
 inet_csk_clone_lock+0x26/0x410 net/ipv4/inet_connection_sock.c:1169
 tcp_create_openreq_child+0x34/0x1b80 net/ipv4/tcp_minisocks.c:511
 tcp_v6_syn_recv_sock+0x413/0x19c0 net/ipv6/tcp_ipv6.c:1436
 subflow_syn_recv_sock+0x4b5/0x1700 net/mptcp/subflow.c:841
 tcp_get_cookie_sock+0xe4/0x5a0 net/ipv4/syncookies.c:204
 cookie_v6_check+0xfe6/0x1750 net/ipv6/syncookies.c:268
 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1300 [inline]
 tcp_v6_do_rcv+0x757/0x13d0 net/ipv6/tcp_ipv6.c:1658
 tcp_v6_rcv+0x216a/0x3050 net/ipv6/tcp_ipv6.c:1910
 ip6_protocol_deliver_rcu+0xe84/0x1cb0 net/ipv6/ip6_input.c:438
 ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:492
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ipv6_rcv+0xef/0x2c0 net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5624 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5738
 process_backlog+0x368/0x6f0 net/core/dev.c:6067
 __napi_poll+0xc6/0x5b0 net/core/dev.c:6721
 napi_poll net/core/dev.c:6790 [inline]
 net_rx_action+0x6cd/0x1080 net/core/dev.c:6906
 handle_softirqs+0x183/0x520 kernel/softirq.c:554
 do_softirq+0xdd/0x130 kernel/softirq.c:455
 __local_bh_enable_ip+0x7b/0x80 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline]
 __dev_queue_xmit+0x141b/0x3610 net/core/dev.c:4420
 dev_queue_xmit include/linux/netdevice.h:3095 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip6_finish_output2+0x106e/0x1900 net/ipv6/ip6_output.c:137
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1fb/0x520 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_xmit+0xd67/0x1920 net/ipv6/ip6_output.c:358
 inet6_csk_xmit+0x2df/0x460 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x1dd0/0x36f0 net/ipv4/tcp_output.c:1466
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6489 [inline]
 tcp_rcv_state_process+0x205e/0x4300 net/ipv4/tcp_input.c:6676
 tcp_v6_do_rcv+0x825/0x13d0 net/ipv6/tcp_ipv6.c:1673
 __release_sock+0x10c/0x1c0 net/core/sock.c:2983
 release_sock+0x61/0x1e0 net/core/sock.c:3549
 mptcp_connect+0x61d/0xc20 net/mptcp/protocol.c:3767
 __inet_stream_connect+0x28b/0xe20 net/ipv4/af_inet.c:679
 inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:750
 __sys_connect_file net/socket.c:2048 [inline]
 __sys_connect+0x2c3/0x3d0 net/socket.c:2065
 __do_sys_connect net/socket.c:2075 [inline]
 __se_sys_connect net/socket.c:2072 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2072
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 765:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x30/0x70 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0x106/0x170 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4353 [inline]
 kfree+0xee/0x2a0 mm/slub.c:4463
 sk_prot_free net/core/sock.c:2116 [inline]
 __sk_destruct+0x4ae/0x630 net/core/sock.c:2208
 tcp_v6_rcv+0x2507/0x3050 net/ipv6/tcp_ipv6.c:1928
 ip6_protocol_deliver_rcu+0xe84/0x1cb0 net/ipv6/ip6_input.c:438
 ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:492
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ipv6_rcv+0xef/0x2c0 net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5624 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5738
 process_backlog+0x368/0x6f0 net/core/dev.c:6067
 __napi_poll+0xc6/0x5b0 net/core/dev.c:6721
 napi_poll net/core/dev.c:6790 [inline]
 net_rx_action+0x6cd/0x1080 net/core/dev.c:6906
 handle_softirqs+0x183/0x520 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x45/0xe0 kernel/softirq.c:637
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

The buggy address belongs to the object at ffff888109b2c000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 8 bytes inside of
 freed 4096-byte region [ffff888109b2c000, ffff888109b2d000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b28
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x200000000000840(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000000840 ffff888100042140 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
head: 0200000000000840 ffff888100042140 0000000000000000 dead000000000001
head: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
head: 0200000000000003 ffffea000426ca01 ffffea000426ca48 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888109b2bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888109b2bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888109b2c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888109b2c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888109b2c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Happened on K9

No reproducer.

[matttbe]

@cpaasch Do you still have this issue?