On Tue, Feb 21, 2017 at 2:56 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: > On Tue, Feb 21, 2017 at 2:27 PM, Andrey Ryabinin > <aryabinin@xxxxxxxxxxxxx> wrote: >> DCCP doesn't purge timewait sockets on network namespace shutdown. >> So, after net namespace destroyed we could still have an active timer >> which will trigger use after free in tw_timer_handler(): >> >> BUG: KASAN: use-after-free in tw_timer_handler+0x4a/0xa0 at addr ffff88010e0d1e10 >> Read of size 8 by task swapper/1/0 >> Call Trace: >> __asan_load8+0x54/0x90 >> tw_timer_handler+0x4a/0xa0 >> call_timer_fn+0x127/0x480 >> expire_timers+0x1db/0x2e0 >> run_timer_softirq+0x12f/0x2a0 >> __do_softirq+0x105/0x5b4 >> irq_exit+0xdd/0xf0 >> smp_apic_timer_interrupt+0x57/0x70 >> apic_timer_interrupt+0x90/0xa0 >> >> Object at ffff88010e0d1bc0, in cache net_namespace size: 6848 >> Allocated: >> save_stack_trace+0x1b/0x20 >> kasan_kmalloc+0xee/0x180 >> kasan_slab_alloc+0x12/0x20 >> kmem_cache_alloc+0x134/0x310 >> copy_net_ns+0x8d/0x280 >> create_new_namespaces+0x23f/0x340 >> unshare_nsproxy_namespaces+0x75/0xf0 >> SyS_unshare+0x299/0x4f0 >> entry_SYSCALL_64_fastpath+0x18/0xad >> Freed: >> save_stack_trace+0x1b/0x20 >> kasan_slab_free+0xae/0x180 >> kmem_cache_free+0xb4/0x350 >> net_drop_ns+0x3f/0x50 >> cleanup_net+0x3df/0x450 >> process_one_work+0x419/0xbb0 >> worker_thread+0x92/0x850 >> kthread+0x192/0x1e0 >> ret_from_fork+0x2e/0x40 >> >> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge >> timewait sockets on net namespace destruction and prevent above issue. > > > Aha! Thanks for tracking this down! > > Queued the patch on syzkaller bots, should have the verdict in several hours. I do not see the crash happening after applying the patch. -- To unsubscribe from this list: send the line "unsubscribe dccp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
