Crash due to destroying TCP request sockets using SOCK_DESTROY

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
To: netdev@vger.kernel.org, eric.dumazet@gmail.com, lorenzo@google.com
Subject: Crash due to destroying TCP request sockets using SOCK_DESTROY
Date: Thu, 05 Jul 2018 20:37:03 -0600	[thread overview]
Message-ID: <95aaa3d59cb3c9cc11b6b83880d92fec@codeaurora.org> (raw)

We are seeing a crash on an ARM64 device with Android 4.14 based kernel.

 From the call stack, a TCP socket is being destroyed using netlink_diag.
The memory dump showed that the socket was an inet request socket (in
state TCP_NEW_SYN_RECV) with refcount of 0.

The crash seems to have happened during a regression test where wifi
was toggled with some browser activity but it is not very easily
reproducible. I believe netd on Android tries to destroy all sockets in
a system on change of network.

  13232.479820:   <2> refcount_t: underflow; use-after-free.
  13232.479838:   <6> ------------[ cut here ]------------
  13232.479843:   <6> kernel BUG at kernel/msm-4.14/lib/refcount.c:204!
  13232.479849:   <6> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
  13232.479895:   <6> CPU: 4 PID: 648 Comm: netd Tainted: G S      W  O   
  4.14.49+ #1
  13232.479897:   <6> task: fffffff5d6e28080 task.stack: ffffff801cf98000
  13232.479908:   <2> pc : refcount_sub_and_test+0x64/0x78
  13232.479910:   <2> lr : refcount_sub_and_test+0x64/0x78
  13232.479911:   <2> sp : ffffff801cf9ba40 pstate : 20400145
  13232.479911:   <2> x29: ffffff801cf9ba40 x28: fffffff5d6e28080
  13232.479914:   <2> x27: ffffff801cf9bd10 x26: fffffff4a1428f40
  13232.479915:   <2> x25: 0000000000000000 x24: ffffffffffffff91
  13232.479917:   <2> x23: 0000000000000015 x22: fffffff5b837c880
  13232.479919:   <2> x21: fffffff4a1428f40 x20: 0000000000000000
  13232.479920:   <2> x19: fffffff4c47c6088 x18: e7b13cd1ecbfea00
  13232.479922:   <2> x17: 00000008ec3bb553 x16: 011d8776aa792786
  13232.479924:   <2> x15: e7b13cd1ecbfea00 x14: 000000002bdb7692
  13232.479925:   <2> x13: 0000000000000000 x12: e7b13cd1ecbfea00
  13232.479927:   <2> x11: e7b13cd1ecbfea00 x10: 0000000000000000
  13232.479928:   <2> x9 : e7b13cd1ecbfea00 x8 : 0000000000000000
  13232.479929:   <2> x7 : 0000000000000001 x6 : 0000000000000001
  13232.479931:   <2> x5 : 0000000000000000 x4 : 00000c08ed425d69
  13232.479932:   <2> x3 : 00000066effb6000 x2 : ffffff8f09dc5000
  13232.479934:   <2> x1 : 0000000000000000 x0 : 0000000000000026
  13232.479996:   <6> Process netd (pid: 648, stack limit = 
0xffffff801cf98000)
  13232.479998:   <2> Call trace:
  13232.480000:   <2>  refcount_sub_and_test+0x64/0x78
  13232.480002:   <2>  refcount_dec_and_test+0x18/0x24
  13232.480005:   <2>  sock_gen_put+0x1c/0xb0
  13232.480009:   <2>  tcp_diag_destroy+0x54/0x68
  13232.480010:   <2>  inet_diag_cmd_exact+0x78/0xa0
  13232.480012:   <2>  inet_diag_handler_cmd+0xcc/0xf8
  13232.480018:   <2>  sock_diag_rcv_msg+0x130/0x158
  13232.480021:   <2>  netlink_rcv_skb+0xa4/0x11c
  13232.480023:   <2>  sock_diag_rcv+0x34/0x48
  13232.480025:   <2>  netlink_unicast+0x158/0x1f0
  13232.480026:   <2>  netlink_sendmsg+0x334/0x340
  13232.480028:   <2>  sock_sendmsg+0x44/0x60
  13232.480031:   <2>  sock_write_iter+0xac/0xf4
  13232.480034:   <2>  __vfs_write+0x124/0x154
  13232.480036:   <2>  vfs_write+0xcc/0x188
  13232.480038:   <2>  SyS_write+0x60/0xc0
  13232.480040:   <2>  el0_svc_naked+0x34/0x38
  13232.480042:   <6> Code: 910003fd f0008200 910fd000 97f4158c 
(d4210000)
  13232.480045:   <6> ---[ end trace 994bad5b8077e394 ]---
  13232.480061:   <6> Kernel panic - not syncing: Fatal exception

-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

next             reply	other threads:[~2018-07-06  2:37 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-06  2:37 Subash Abhinov Kasiviswanathan [this message]
2018-07-06  4:46 ` Crash due to destroying TCP request sockets using SOCK_DESTROY Lorenzo Colitti
2018-07-06 10:24   ` Eric Dumazet
2018-07-06 23:24     ` Subash Abhinov Kasiviswanathan
2018-07-07  7:34     ` Lorenzo Colitti

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=95aaa3d59cb3c9cc11b6b83880d92fec@codeaurora.org \
    --to=subashab@codeaurora.org \
    --cc=eric.dumazet@gmail.com \
    --cc=lorenzo@google.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.