| Message ID | 20240415182104.110955-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26782 | expand |
On 4/15/24 12:21 PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > mptcp: fix double-free on socket dismantle > > when MPTCP server accepts an incoming connection, it clones its listener > socket. However, the pointer to 'inet_opt' for the new socket has the same > value as the original one: as a consequence, on program exit it's possible > to observe the following splat: > > BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 > Free of addr ffff888485950880 by task swapper/25/0 > > CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 > Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 > Call Trace: > <IRQ> > dump_stack_lvl+0x32/0x50 > print_report+0xca/0x620 > kasan_report_invalid_free+0x64/0x90 > __kasan_slab_free+0x1aa/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > rcu_do_batch+0x34e/0xd90 > rcu_core+0x559/0xac0 > __do_softirq+0x183/0x5a4 > irq_exit_rcu+0x12d/0x170 > sysvec_apic_timer_interrupt+0x6b/0x80 > </IRQ> > <TASK> > asm_sysvec_apic_timer_interrupt+0x16/0x20 > RIP: 0010:cpuidle_enter_state+0x175/0x300 > Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b > RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 > RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 > RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 > RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 > R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 > R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 > cpuidle_enter+0x4a/0xa0 > do_idle+0x310/0x410 > cpu_startup_entry+0x51/0x60 > start_secondary+0x211/0x270 > secondary_startup_64_no_verify+0x184/0x18b > </TASK> > > Allocated by task 6853: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > __kasan_kmalloc+0xa6/0xb0 > __kmalloc+0x1eb/0x450 > cipso_v4_sock_setattr+0x96/0x360 > netlbl_sock_setattr+0x132/0x1f0 > selinux_netlbl_socket_post_create+0x6c/0x110 > selinux_socket_post_create+0x37b/0x7f0 > security_socket_post_create+0x63/0xb0 > __sock_create+0x305/0x450 > __sys_socket_create.part.23+0xbd/0x130 > __sys_socket+0x37/0xb0 > __x64_sys_socket+0x6f/0xb0 > do_syscall_64+0x83/0x160 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Freed by task 6858: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > kasan_save_free_info+0x3b/0x60 > __kasan_slab_free+0x12c/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > subflow_ulp_release+0x1f0/0x250 > tcp_cleanup_ulp+0x6e/0x110 > tcp_v4_destroy_sock+0x5a/0x3a0 > inet_csk_destroy_sock+0x135/0x390 > tcp_fin+0x416/0x5c0 > tcp_data_queue+0x1bc8/0x4310 > tcp_rcv_state_process+0x15a3/0x47b0 > tcp_v4_do_rcv+0x2c1/0x990 > tcp_v4_rcv+0x41fb/0x5ed0 > ip_protocol_deliver_rcu+0x6d/0x9f0 > ip_local_deliver_finish+0x278/0x360 > ip_local_deliver+0x182/0x2c0 > ip_rcv+0xb5/0x1c0 > __netif_receive_skb_one_core+0x16e/0x1b0 > process_backlog+0x1e3/0x650 > __napi_poll+0xa6/0x500 > net_rx_action+0x740/0xbb0 > __do_softirq+0x183/0x5a4 > > The buggy address belongs to the object at ffff888485950880 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 0 bytes inside of > 64-byte region [ffff888485950880, ffff8884859508c0) > > The buggy address belongs to the physical page: > page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 > flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) > page_type: 0xffffffff() > raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 > raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ^ > ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc > > Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix > this by duplicating IP / IPv6 options after clone, so that > ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. > > [Fix] > > Mantic: Linux-6.6.y fix commit cherry-picked cleanly. > Jammy: Linux-5.15.y fix commit cherry-picked cleanly. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use Multipath TCP (MPTCP), an issue with this > fix would be visable with a memory leak or a system crash. > > Davide Caratti (1): > mptcp: fix double-free on socket dismantle > > net/mptcp/protocol.c | 49 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 49 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 15.04.24 20:21, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > mptcp: fix double-free on socket dismantle > > when MPTCP server accepts an incoming connection, it clones its listener > socket. However, the pointer to 'inet_opt' for the new socket has the same > value as the original one: as a consequence, on program exit it's possible > to observe the following splat: > > BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 > Free of addr ffff888485950880 by task swapper/25/0 > > CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 > Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 > Call Trace: > <IRQ> > dump_stack_lvl+0x32/0x50 > print_report+0xca/0x620 > kasan_report_invalid_free+0x64/0x90 > __kasan_slab_free+0x1aa/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > rcu_do_batch+0x34e/0xd90 > rcu_core+0x559/0xac0 > __do_softirq+0x183/0x5a4 > irq_exit_rcu+0x12d/0x170 > sysvec_apic_timer_interrupt+0x6b/0x80 > </IRQ> > <TASK> > asm_sysvec_apic_timer_interrupt+0x16/0x20 > RIP: 0010:cpuidle_enter_state+0x175/0x300 > Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b > RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 > RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 > RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 > RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 > R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 > R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 > cpuidle_enter+0x4a/0xa0 > do_idle+0x310/0x410 > cpu_startup_entry+0x51/0x60 > start_secondary+0x211/0x270 > secondary_startup_64_no_verify+0x184/0x18b > </TASK> > > Allocated by task 6853: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > __kasan_kmalloc+0xa6/0xb0 > __kmalloc+0x1eb/0x450 > cipso_v4_sock_setattr+0x96/0x360 > netlbl_sock_setattr+0x132/0x1f0 > selinux_netlbl_socket_post_create+0x6c/0x110 > selinux_socket_post_create+0x37b/0x7f0 > security_socket_post_create+0x63/0xb0 > __sock_create+0x305/0x450 > __sys_socket_create.part.23+0xbd/0x130 > __sys_socket+0x37/0xb0 > __x64_sys_socket+0x6f/0xb0 > do_syscall_64+0x83/0x160 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Freed by task 6858: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > kasan_save_free_info+0x3b/0x60 > __kasan_slab_free+0x12c/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > subflow_ulp_release+0x1f0/0x250 > tcp_cleanup_ulp+0x6e/0x110 > tcp_v4_destroy_sock+0x5a/0x3a0 > inet_csk_destroy_sock+0x135/0x390 > tcp_fin+0x416/0x5c0 > tcp_data_queue+0x1bc8/0x4310 > tcp_rcv_state_process+0x15a3/0x47b0 > tcp_v4_do_rcv+0x2c1/0x990 > tcp_v4_rcv+0x41fb/0x5ed0 > ip_protocol_deliver_rcu+0x6d/0x9f0 > ip_local_deliver_finish+0x278/0x360 > ip_local_deliver+0x182/0x2c0 > ip_rcv+0xb5/0x1c0 > __netif_receive_skb_one_core+0x16e/0x1b0 > process_backlog+0x1e3/0x650 > __napi_poll+0xa6/0x500 > net_rx_action+0x740/0xbb0 > __do_softirq+0x183/0x5a4 > > The buggy address belongs to the object at ffff888485950880 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 0 bytes inside of > 64-byte region [ffff888485950880, ffff8884859508c0) > > The buggy address belongs to the physical page: > page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 > flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) > page_type: 0xffffffff() > raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 > raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ^ > ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc > > Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix > this by duplicating IP / IPv6 options after clone, so that > ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. > > [Fix] > > Mantic: Linux-6.6.y fix commit cherry-picked cleanly. > Jammy: Linux-5.15.y fix commit cherry-picked cleanly. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use Multipath TCP (MPTCP), an issue with this > fix would be visable with a memory leak or a system crash. > > Davide Caratti (1): > mptcp: fix double-free on socket dismantle > > net/mptcp/protocol.c | 49 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 49 insertions(+) > Looks like Mantic has sk_clone_init(), while Jammy has the same as sk_clone(). Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 15/04/2024 20:21, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > mptcp: fix double-free on socket dismantle > > when MPTCP server accepts an incoming connection, it clones its listener > socket. However, the pointer to 'inet_opt' for the new socket has the same > value as the original one: as a consequence, on program exit it's possible > to observe the following splat: > > BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 > Free of addr ffff888485950880 by task swapper/25/0 > > CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 > Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 > Call Trace: > <IRQ> > dump_stack_lvl+0x32/0x50 > print_report+0xca/0x620 > kasan_report_invalid_free+0x64/0x90 > __kasan_slab_free+0x1aa/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > rcu_do_batch+0x34e/0xd90 > rcu_core+0x559/0xac0 > __do_softirq+0x183/0x5a4 > irq_exit_rcu+0x12d/0x170 > sysvec_apic_timer_interrupt+0x6b/0x80 > </IRQ> > <TASK> > asm_sysvec_apic_timer_interrupt+0x16/0x20 > RIP: 0010:cpuidle_enter_state+0x175/0x300 > Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b > RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 > RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 > RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 > RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 > R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 > R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 > cpuidle_enter+0x4a/0xa0 > do_idle+0x310/0x410 > cpu_startup_entry+0x51/0x60 > start_secondary+0x211/0x270 > secondary_startup_64_no_verify+0x184/0x18b > </TASK> > > Allocated by task 6853: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > __kasan_kmalloc+0xa6/0xb0 > __kmalloc+0x1eb/0x450 > cipso_v4_sock_setattr+0x96/0x360 > netlbl_sock_setattr+0x132/0x1f0 > selinux_netlbl_socket_post_create+0x6c/0x110 > selinux_socket_post_create+0x37b/0x7f0 > security_socket_post_create+0x63/0xb0 > __sock_create+0x305/0x450 > __sys_socket_create.part.23+0xbd/0x130 > __sys_socket+0x37/0xb0 > __x64_sys_socket+0x6f/0xb0 > do_syscall_64+0x83/0x160 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Freed by task 6858: > kasan_save_stack+0x1c/0x40 > kasan_save_track+0x10/0x30 > kasan_save_free_info+0x3b/0x60 > __kasan_slab_free+0x12c/0x1f0 > kfree+0xed/0x2e0 > inet_sock_destruct+0x54f/0x8b0 > __sk_destruct+0x48/0x5b0 > subflow_ulp_release+0x1f0/0x250 > tcp_cleanup_ulp+0x6e/0x110 > tcp_v4_destroy_sock+0x5a/0x3a0 > inet_csk_destroy_sock+0x135/0x390 > tcp_fin+0x416/0x5c0 > tcp_data_queue+0x1bc8/0x4310 > tcp_rcv_state_process+0x15a3/0x47b0 > tcp_v4_do_rcv+0x2c1/0x990 > tcp_v4_rcv+0x41fb/0x5ed0 > ip_protocol_deliver_rcu+0x6d/0x9f0 > ip_local_deliver_finish+0x278/0x360 > ip_local_deliver+0x182/0x2c0 > ip_rcv+0xb5/0x1c0 > __netif_receive_skb_one_core+0x16e/0x1b0 > process_backlog+0x1e3/0x650 > __napi_poll+0xa6/0x500 > net_rx_action+0x740/0xbb0 > __do_softirq+0x183/0x5a4 > > The buggy address belongs to the object at ffff888485950880 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 0 bytes inside of > 64-byte region [ffff888485950880, ffff8884859508c0) > > The buggy address belongs to the physical page: > page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 > flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) > page_type: 0xffffffff() > raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 > raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ^ > ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc > > Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix > this by duplicating IP / IPv6 options after clone, so that > ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. > > [Fix] > > Mantic: Linux-6.6.y fix commit cherry-picked cleanly. > Jammy: Linux-5.15.y fix commit cherry-picked cleanly. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use Multipath TCP (MPTCP), an issue with this > fix would be visable with a memory leak or a system crash. > > Davide Caratti (1): > mptcp: fix double-free on socket dismantle > > net/mptcp/protocol.c | 49 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 49 insertions(+) > It was already in jammy, I added the CVE no in the commit. Applied to mantic master-next branch. Thanks!
[Impact] In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix this by duplicating IP / IPv6 options after clone, so that ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. [Fix] Mantic: Linux-6.6.y fix commit cherry-picked cleanly. Jammy: Linux-5.15.y fix commit cherry-picked cleanly. Focal: not-affected Bionic: not-affected Xenial: not-affected Trusty: not-affected [Test Case] Compile and boot tested. [Where problems could occur] This fix affects those who use Multipath TCP (MPTCP), an issue with this fix would be visable with a memory leak or a system crash. Davide Caratti (1): mptcp: fix double-free on socket dismantle net/mptcp/protocol.c | 49 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)