syzbot

RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000007
RBP: 00007fbe3814d194 R08: 0000000000000001 R09: 0000000000000034
R10: 0000800100022007 R11: 0000000000000246 R12: 00007fbe3818050c
R13: 00007fbe380662f0 R14: 00007fbe38180508 R15: 0000000000000001
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a1c6dd70 by task syz-executor323/7972

CPU: 1 PID: 7972 Comm: syz-executor323 Not tainted 4.14.284-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
 tcp_new_space net/ipv4/tcp_input.c:5117 [inline]
 tcp_check_space.part.0+0x2ef/0x590 net/ipv4/tcp_input.c:5138
 tcp_check_space+0xa6/0xd0 net/ipv4/tcp_input.c:5143
 tcp_write_xmit+0x661/0x53c0 net/ipv4/tcp_output.c:2403
 __tcp_push_pending_frames+0xa0/0x2d0 net/ipv4/tcp_output.c:2582
 tcp_send_fin+0x16d/0xc00 net/ipv4/tcp_output.c:3134
 tcp_close+0x979/0xed0 net/ipv4/tcp.c:2225
 tls_sk_proto_close+0x584/0x8b0 net/tls/tls_main.c:295
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 get_signal+0x38d/0x1ca0 kernel/signal.c:2412
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fbe380f6e99
RSP: 002b:00007fbe380a82e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000006d0000 RBX: 00007fbe381804e0 RCX: 00007fbe380f6e99
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000003
RBP: 00007fbe3814d194 R08: 0000000000000000 R09: 0000000000000000
R10: 00008080fffffffe R11: 0000000000000246 R12: 00007fbe381804ec
R13: 00007fbe380a82f0 R14: 00007fbe381804e8 R15: 0000000000022000

Allocated by task 7973:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_init+0xb1/0x4e0 net/tls/tls_main.c:518
 tcp_set_ulp+0x18f/0x4c0 net/ipv4/tcp_ulp.c:127
 do_tcp_setsockopt.constprop.0+0x1f6/0x1c10 net/ipv4/tcp.c:2549
 tcp_setsockopt net/ipv4/tcp.c:2832 [inline]
 tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2824
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 7972:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 tls_ctx_free net/tls/tls_main.c:252 [inline]
 tls_ctx_free net/tls/tls_main.c:246 [inline]
 tls_sk_proto_close+0x568/0x8b0 net/tls/tls_main.c:290
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 get_signal+0x38d/0x1ca0 kernel/signal.c:2412
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880a1c6dd00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
 192-byte region [ffff8880a1c6dd00, ffff8880a1c6ddc0)
The buggy address belongs to the page:
page:ffffea0002871b40 count:1 mapcount:0 mapping:ffff8880a1c6d000 index:0xffff8880a1c6d500
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a1c6d000 ffff8880a1c6d500 000000010000000a
raw: ffffea0002861520 ffffea0002912de0 ffff88813fe74040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a1c6dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a1c6dc80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a1c6dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a1c6dd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a1c6de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================