On Thu, Apr 6, 2023 at 4:48 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote: > > On Wed, Apr 5, 2023 at 9:42 PM Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> wrote: > > > > From: Eric Dumazet <edumazet@xxxxxxxxxx> > > Date: Wed, 5 Apr 2023 13:28:16 +0200 > > > On Wed, Apr 5, 2023 at 12:41 PM Dae R. Jeong <threeearcat@xxxxxxxxx> wrote: > > > > > > > > Hi, > > > > > > > > We observed an issue "KASAN: use-after-free Read in tcp_write_timer_handler" during fuzzing. > > > > > > > > Unfortunately, we have not found a reproducer for the crash yet. We > > > > will inform you if we have any update on this crash. Detailed crash > > > > information is attached below. > > > > > > > > > > Thanks for the report. > > > > > > I have dozens of similar syzbot reports, with no repro. > > > > > > I usually hold them, because otherwise it is just noise to mailing lists. > > > > > > Normally, all user TCP sockets hold a reference on the netns > > > > > > In all these cases, we see a netns being dismantled while there is at > > > least one socket with a live timer. > > > > > > This is therefore a kernel TCP socket, for which we do not have yet > > > debugging infra ( REF_TRACKER ) > > > > > > CONFIG_NET_DEV_REFCNT_TRACKER=y is helping to detect too many dev_put(), > > > we need something tracking the "kernel sockets" as well. > > > > Maybe I missed something, but we track kernel sockets with netns > > by notrefcnt_tracker ? > > Oh right, I forgot I did this already :) > > commit 0cafd77dcd032d1687efaba5598cf07bce85997f > Author: Eric Dumazet <edumazet@xxxxxxxxxx> > Date: Thu Oct 20 23:20:18 2022 +0000 > > net: add a refcount tracker for kernel sockets > > Dae, make sure to not send reports based on old kernels. > > Using 6.0-rc7 is a waste of your time, and everyone else reading this thread. > > I confess I did not check this, and I really should do that all the time. I'm sorry and I understand your time is valuable. I will let you know when I observe this issue again. > > > > > I thought now CONFIG_NET_NS_REFCNT_TRACKER can catch the case. > > > > > > > > > > Otherwise bugs in subsystems not properly dismantling their kernel > > > socket at netns dismantle are next to impossible to track and fix. > > > > > > If anyone has time to implement this, feel free to submit patches. > > > > > > Thanks. Best regards, Dae R. Jeong.
