Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 852161 - kernel 5.15.41 crashes with UAF in tcp_wfree when toggling NetworkManager
Summary: kernel 5.15.41 crashes with UAF in tcp_wfree when toggling NetworkManager
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal critical (vote)
Assignee: Distribution Kernel Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-15 13:22 UTC by trourance
Modified: 2022-06-15 17:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description trourance 2022-06-15 13:22:15 UTC 
Hi,

The computer freezes and restart a couple of seconds later. I've found the following trace in the logs:

Jun 15 14:48:48 user-thinkpad kernel: ------------[ cut here ]------------
Jun 15 14:48:48 user-thinkpad kernel: refcount_t: underflow; use-after-free.
Jun 15 14:48:48 user-thinkpad kernel: WARNING: CPU: 11 PID: 6741 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0
Jun 15 14:48:48 user-thinkpad kernel: Modules linked in: tun ipt_REJECT nf_reject_ipv4 ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_mangle ip6table_mangle ip6table_filter ip6table_nat ip6_tables xt_comment xt_mark nf_tables xt_nat veth xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables br_netfilter bridge stp llc overlay snd_seq_dummy snd_hrtimer snd_seq snd_seq_device bnep dm_crypt trusted asn1_encoder snd_ctl_led snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi hid_logitech_hidpp iTCO_wdt intel_pmc_bxt ee1004 snd_soc_dmic iTCO_vendor_support mei_hdcp mei_wdt intel_rapl_msr snd_hda_codec_realtek intel_tcc_cooling snd_hda_codec_generic binfmt_misc x86_pkg_temp_thermal intel_powerclamp coretemp snd_sof_pci_intel_tgl iwlmvm snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence mac80211 kvm_intel snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp libarc4
Jun 15 14:48:48 user-thinkpad kernel:  snd_sof snd_soc_hdac_hda kvm snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi irqbypass soundwire_bus iwlwifi intel_cstate snd_soc_core nvidia_drm(PO) i2c_i801 snd_compress think_lmi ac97_bus nvidia_modeset(PO) intel_uncore joydev pcspkr firmware_attributes_class wmi_bmof i2c_smbus snd_pcm_dmaengine snd_hda_codec_hdmi snd_hda_intel cfg80211 uvcvideo snd_intel_dspcfg snd_intel_sdw_acpi videobuf2_vmalloc snd_hda_codec videobuf2_memops videobuf2_v4l2 igc videobuf2_common nvidia(PO) mei_me snd_hda_core videodev snd_hwdep mei ucsi_acpi drm_kms_helper mc processor_thermal_device_pci_legacy typec_ucsi cec hid_logitech_dj snd_pcm processor_thermal_device typec processor_thermal_rfim drm processor_thermal_mbox thunderbolt processor_thermal_rapl snd_timer intel_rapl_common intel_soc_dts_iosf thinkpad_acpi ledtrig_audio platform_profile snd int3403_thermal soundcore int340x_thermal_zone int3400_thermal intel_hid btusb acpi_thermal_rel sparse_keymap btrtl acpi_pad acpi_tad btbcm
Jun 15 14:48:48 user-thinkpad kernel:  btintel bluetooth ecdh_generic rfkill rtsx_pci_sdmmc mmc_core crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw rtsx_pci nvme nvme_core wmi video pinctrl_tigerlake
Jun 15 14:48:48 user-thinkpad kernel: CPU: 11 PID: 6741 Comm: kubelet Tainted: P           O      5.15.41-gentoo-dist #1
Jun 15 14:48:48 user-thinkpad kernel: Hardware name: LENOVO 20YSCTO1WW/20YSCTO1WW, BIOS N37ET37W (1.18 ) 12/24/2021
Jun 15 14:48:48 user-thinkpad kernel: RIP: 0010:refcount_warn_saturate+0xa6/0xf0
Jun 15 14:48:48 user-thinkpad kernel: Code: 05 4e 67 21 01 01 e8 f6 11 5a 00 0f 0b c3 80 3d 3c 67 21 01 00 75 95 48 c7 c7 58 00 4b 8d c6 05 2c 67 21 01 01 e8 d7 11 5a 00 <0f> 0b c3 80 3d 1b 67 21 01 00 0f 85 72 ff ff ff 48 c7 c7 b0 00 4b
Jun 15 14:48:48 user-thinkpad kernel: RSP: 0000:ffffbb8d0666bd30 EFLAGS: 00010286
Jun 15 14:48:48 user-thinkpad kernel: RAX: 0000000000000026 RBX: ffffa0638f584ae0 RCX: 0000000000000027
Jun 15 14:48:48 user-thinkpad kernel: RDX: ffffa068efee0748 RSI: 0000000000000001 RDI: ffffa068efee0740
Jun 15 14:48:48 user-thinkpad kernel: RBP: ffffa05ded900000 R08: 0000000000000000 R09: ffffbb8d0666bb70
Jun 15 14:48:48 user-thinkpad kernel: R10: ffffbb8d0666bb68 R11: ffffffff8d73bfa8 R12: 0000000000000078
Jun 15 14:48:48 user-thinkpad kernel: R13: ffffa059c995e940 R14: 00000000ffffff94 R15: ffffbb8d006fb060
Jun 15 14:48:48 user-thinkpad kernel: FS:  00007fc5577fe700(0000) GS:ffffa068efec0000(0000) knlGS:0000000000000000
Jun 15 14:48:48 user-thinkpad kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 15 14:48:48 user-thinkpad kernel: CR2: 00007ff5ffb3a000 CR3: 00000001b6402002 CR4: 0000000000770ee0
Jun 15 14:48:48 user-thinkpad kernel: PKRU: 55555554
Jun 15 14:48:48 user-thinkpad kernel: Call Trace:
Jun 15 14:48:48 user-thinkpad kernel:  <TASK>
Jun 15 14:48:48 user-thinkpad kernel:  tcp_wfree+0x11a/0x130
Jun 15 14:48:48 user-thinkpad kernel:  skb_release_head_state+0x2f/0xa0
Jun 15 14:48:48 user-thinkpad kernel:  napi_consume_skb+0xb1/0x120
Jun 15 14:48:48 user-thinkpad kernel:  igc_down+0xfd1/0x2d20 [igc]
Jun 15 14:48:48 user-thinkpad kernel:  ? do_futex+0x1cb/0xb70
Jun 15 14:48:48 user-thinkpad kernel:  ? __schedule+0x280/0x1240
Jun 15 14:48:48 user-thinkpad kernel:  ? ktime_get+0x35/0x90
Jun 15 14:48:48 user-thinkpad kernel:  ? lapic_next_deadline+0x28/0x30
Jun 15 14:48:48 user-thinkpad kernel:  ? clockevents_program_event+0x92/0xf0
Jun 15 14:48:48 user-thinkpad kernel:  __napi_poll+0x27/0x150
Jun 15 14:48:48 user-thinkpad kernel:  net_rx_action+0x22c/0x290
Jun 15 14:48:48 user-thinkpad kernel:  __do_softirq+0xcd/0x282
Jun 15 14:48:48 user-thinkpad kernel:  __irq_exit_rcu+0xb0/0xe0
Jun 15 14:48:48 user-thinkpad kernel:  common_interrupt+0x43/0xa0
Jun 15 14:48:48 user-thinkpad kernel:  ? asm_common_interrupt+0x8/0x40
Jun 15 14:48:48 user-thinkpad kernel:  asm_common_interrupt+0x1e/0x40
Jun 15 14:48:48 user-thinkpad kernel: RIP: 0033:0x4108dd
Jun 15 14:48:48 user-thinkpad kernel: Code: 0f b7 1c 53 90 41 d1 e2 45 0f b6 e1 45 09 e2 45 0f b6 e2 49 81 fc 88 00 00 00 0f 83 4a 04 00 00 4f 8b 64 e0 28 4d 8b 6c 24 40 <4d> 0f bc fd 48 89 d7 ba 40 00 00 00 4c 0f 44 fa 49 83 ff 40 0f 8d
Jun 15 14:48:48 user-thinkpad kernel: RSP: 002b:000000c000aa8978 EFLAGS: 00000283
Jun 15 14:48:48 user-thinkpad kernel: RAX: 0000000000000030 RBX: 0000000000000000 RCX: 0000000000000000
Jun 15 14:48:48 user-thinkpad kernel: RDX: 0000000000000000 RSI: 000000c001190c00 RDI: 000000c00325d9a5
Jun 15 14:48:48 user-thinkpad kernel: RBP: 000000c000aa89e8 R08: 00007fc6241d6f18 R09: 0000000000000001
Jun 15 14:48:48 user-thinkpad kernel: R10: 000000000000000b R11: 0000000000000030 R12: 00007fc5fc2d0798
Jun 15 14:48:48 user-thinkpad kernel: R13: 0005fffbff9ffedf R14: 000000c0007abd40 R15: 0000000000000030
Jun 15 14:48:48 user-thinkpad kernel:  </TASK>
Jun 15 14:48:48 user-thinkpad kernel: ---[ end trace 80bb70e4bca8b727 ]---

Reproducible: Sometimes

Steps to Reproduce:
Not sure about how to reproduce, but it seems that it's related to NM. When I switch from wireless to wired connection back and forth.
Actual Results:  
Kernel crashes and the computer freezes and restart.

Expected Results:  
The computer doesn't restart unexpectedly.

$ emerge --info
Portage 3.0.30 (python 3.9.12-final-0, default/linux/amd64/17.1/desktop, gcc-11.3.0, glibc-2.34-r13, 5.15.41-gentoo-dist x86_64)
=================================================================
System uname: Linux-5.15.41-gentoo-dist-x86_64-11th_Gen_Intel-R-_Core-TM-_i9-11950H_@_2.60GHz-with-glibc2.34
KiB Mem:    65631512 total,  59380632 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Mon, 30 May 2022 15:30:01 +0000
Head commit of repository gentoo: 03b8482ee0f8886496988b418feb13220bd25b82
Timestamp of repository guru: Mon, 30 May 2022 13:03:38 +0000
Head commit of repository guru: fecaa56a41b0bdb407d8dd59fd1a51508037bc5e

sh bash 5.1_p16
ld GNU ld (Gentoo 2.37_p1 p2) 2.37
app-misc/pax-utils:        1.3.3::gentoo
app-shells/bash:           5.1_p16::gentoo
dev-lang/perl:             5.34.0-r9::gentoo
dev-lang/python:           3.9.12::gentoo, 3.10.4::gentoo
dev-lang/rust-bin:         1.59.0::gentoo
dev-util/cmake:            3.22.4::gentoo
dev-util/meson:            0.61.4-r2::gentoo
sys-apps/baselayout:       2.8::gentoo
sys-apps/openrc:           0.44.10::gentoo
sys-apps/sandbox:          2.29::gentoo
sys-devel/autoconf:        2.13-r1::gentoo, 2.71-r1::gentoo
sys-devel/automake:        1.16.5::gentoo
sys-devel/binutils:        2.37_p1-r2::gentoo
sys-devel/binutils-config: 5.4.1::gentoo
sys-devel/gcc:             11.3.0::gentoo
sys-devel/gcc-config:      2.5-r1::gentoo
sys-devel/libtool:         2.4.6-r6::gentoo
sys-devel/llvm:            13.0.1::gentoo
sys-devel/make:            4.3::gentoo
sys-kernel/linux-headers:  5.15-r3::gentoo (virtual/os-headers)
sys-libs/glibc:            2.34-r13::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-jobs: 1
    sync-rsync-extra-opts: 
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-metamanifest: yes

guru
    location: /var/db/repos/guru
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/guru.git
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="https://mirror.init7.net/gentoo/ https://ftp.halifax.rwth-aachen.de/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j8"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="X a52 aac acl acpi alsa amd64 bluetooth branding bzip2 cairo cdda cdr cli crypt cups dbus dist-kernel dri dts dvd dvdr elogind encode exif flac fortran gdbm gif gpm gtk gui iconv icu ipv6 jpeg lcms libglvnd libnotify libtirpc mad mng mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds qt5 readline sdl seccomp spell split-usr ssl startup-notification svg tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS