syzbot


KASAN: use-after-free Write in padata_parallel_worker

Status: upstream: reported C repro on 2019/05/02 16:03
Reported-by: syzbot+51df2d83e8ab39e40323@syzkaller.appspotmail.com
First crash: 1791d, last: 578d
Fix bisection the fix commit could be any of (bisect log):
  e0f8b8a65a47 Linux 4.14.170
  4139fb08c05f Linux 4.14.187
  
Last patch testing requests (10)
Created Duration User Patch Repo Result
2023/03/04 22:32 0m retest repro linux-4.14.y error OK
2023/03/04 21:32 0m retest repro linux-4.14.y error OK
2023/03/04 20:32 1m retest repro linux-4.14.y error OK
2023/03/04 19:32 1m retest repro linux-4.14.y error OK
2023/03/04 18:32 0m retest repro linux-4.14.y error OK
2023/03/04 17:32 0m retest repro linux-4.14.y error OK
2023/03/04 16:32 0m retest repro linux-4.14.y error OK
2023/03/04 15:32 9m retest repro linux-4.14.y report log
2023/03/04 14:32 0m retest repro linux-4.14.y error OK
2023/03/04 13:32 0m retest repro linux-4.14.y error OK
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2020/06/30 16:13 30m (2) bisect fix linux-4.14.y job log (2)
2020/05/31 12:07 23m bisect fix linux-4.14.y job log (0) log
2020/04/05 03:02 23m bisect fix linux-4.14.y job log (0) log
2020/01/14 01:55 23m bisect fix linux-4.14.y job log (0) log
2019/12/14 03:45 23m bisect fix linux-4.14.y job log (0) log

Sample crash report:
audit: type=1804 audit(1659715821.510:2): pid=8005 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor400" name="/root/bus" dev="sda1" ino=13861 res=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
------------[ cut here ]------------
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149 [inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x2b0/0x2e0 kernel/padata.c:76
Write of size 8 at addr ffff8880b2e49c58 by task kworker/1:2/4632

kernel BUG at include/linux/scatterlist.h:190!
CPU: 1 PID: 4632 Comm: kworker/1:2 Not tainted 4.14.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Workqueue: pencrypt padata_parallel_worker
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_store8_noabort+0x68/0x70 mm/kasan/report.c:435
 list_replace include/linux/list.h:141 [inline]
 list_replace_init include/linux/list.h:149 [inline]
 padata_parallel_worker+0x2b0/0x2e0 kernel/padata.c:76
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 8005:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15a/0x400 mm/slab.c:3729
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_push_record+0xfa/0x1270 net/tls/tls_sw.c:250
 tls_push_pending_closed_record net/tls/tls_main.c:205 [inline]
 tls_push_pending_closed_record+0xbc/0xf0 net/tls/tls_main.c:198
 tls_complete_pending_work include/net/tls.h:159 [inline]
 tls_sw_sendpage+0x7f8/0xb50 net/tls/tls_sw.c:563
 inet_sendpage+0x155/0x590 net/ipv4/af_inet.c:779
 kernel_sendpage net/socket.c:3407 [inline]
 sock_sendpage+0xdf/0x140 net/socket.c:871
 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x326/0x7a0 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x115/0x160 fs/splice.c:1018
 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973
 do_splice_direct+0x164/0x210 fs/splice.c:1061
 do_sendfile+0x47f/0xb30 fs/read_write.c:1441
 SYSC_sendfile64 fs/read_write.c:1502 [inline]
 SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 8005:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 tls_push_record+0xc3b/0x1270 net/tls/tls_sw.c:293
 tls_push_pending_closed_record net/tls/tls_main.c:205 [inline]
 tls_push_pending_closed_record+0xbc/0xf0 net/tls/tls_main.c:198
 tls_complete_pending_work include/net/tls.h:159 [inline]
 tls_sw_sendpage+0x7f8/0xb50 net/tls/tls_sw.c:563
 inet_sendpage+0x155/0x590 net/ipv4/af_inet.c:779
 kernel_sendpage net/socket.c:3407 [inline]
 sock_sendpage+0xdf/0x140 net/socket.c:871
 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x326/0x7a0 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x115/0x160 fs/splice.c:1018
 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973
 do_splice_direct+0x164/0x210 fs/splice.c:1061
 do_sendfile+0x47f/0xb30 fs/read_write.c:1441
 SYSC_sendfile64 fs/read_write.c:1502 [inline]
 SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880b2e49c00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
 256-byte region [ffff8880b2e49c00, ffff8880b2e49d00)
The buggy address belongs to the page:
page:ffffea0002cb9240 count:1 mapcount:0 mapping:ffff8880b2e490c0 index:0xffff8880b2e49700
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b2e490c0 ffff8880b2e49700 0000000100000006
raw: ffffea0002929f60 ffffea00026dc920 ffff88813fe747c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b2e49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b2e49b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880b2e49c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8880b2e49c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b2e49d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

Crashes (54):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/08/05 16:12 linux-4.14.y b641242202ed a65a7ce9 .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/04/21 23:20 linux-4.14.y 15a1c6b6f516 2738b391 .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2020/11/14 17:13 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report syz C ci2-linux-4-14
2020/11/10 02:44 linux-4.14.y 6b6446efedb2 cba33199 .config console log report syz C ci2-linux-4-14
2020/11/07 05:47 linux-4.14.y 6b6446efedb2 cba33199 .config console log report syz C ci2-linux-4-14
2020/11/01 06:54 linux-4.14.y 2b7915014161 8bc4594f .config console log report syz C ci2-linux-4-14
2020/10/13 10:16 linux-4.14.y cbfa1702aaf6 bd69ee0d .config console log report syz C ci2-linux-4-14
2020/09/05 05:24 linux-4.14.y 2f166cdcf8a9 abf9ba4f .config console log report syz C ci2-linux-4-14
2020/02/07 17:26 linux-4.14.y e0f8b8a65a47 06150bf1 .config console log report syz C ci2-linux-4-14
2019/12/15 01:54 linux-4.14.y a844dc4c5442 eef6e580 .config console log report syz C ci2-linux-4-14
2019/09/23 18:15 linux-4.14.y f6e27dbb1afa c68252d2 .config console log report syz C ci2-linux-4-14
2021/10/09 05:58 linux-4.14.y 756db2ba8bde efe0f24d .config console log report syz ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/08/28 12:59 linux-4.14.y e548869f356f 07177916 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/08/16 20:16 linux-4.14.y b641242202ed 9e4b39c2 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/08/05 12:50 linux-4.14.y b641242202ed a65a7ce9 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/07/22 18:22 linux-4.14.y 9c3bf9cf362f 22343af4 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/07/21 08:01 linux-4.14.y 424a46ea058e 6e67af9d .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/04/04 02:57 linux-4.14.y 74766a973637 79a2a8fc .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2022/02/16 17:47 linux-4.14.y a35d65bedfbc 8b9ca619 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/04/29 19:08 linux-4.14.y 7d7d1c0ab3eb 77e2b668 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/04/24 13:54 linux-4.14.y cf256fbcbe34 17f0b706 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/04/13 18:44 linux-4.14.y 958e517f4e16 a184b83e .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/04/03 13:25 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/03/24 14:53 linux-4.14.y 670d6552eda8 607e3baf .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/03/11 19:03 linux-4.14.y c7150cd2fa8c c2ca1f2a .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/25 01:57 linux-4.14.y 3242aa3a635c fcc6d71b .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/24 14:46 linux-4.14.y 3242aa3a635c fcc6d71b .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/24 14:25 linux-4.14.y 3242aa3a635c fcc6d71b .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/24 08:19 linux-4.14.y 3242aa3a635c fcc6d71b .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/10 16:00 linux-4.14.y 2c8a3fceddf0 9c8b8541 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/10 11:02 linux-4.14.y 2c8a3fceddf0 9c8b8541 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/02 23:36 linux-4.14.y 2c8a3fceddf0 624dad51 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/02/01 20:52 linux-4.14.y 2c8a3fceddf0 e6b95f32 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/01/28 07:19 linux-4.14.y 2d2791fce891 eefc07f2 .config console log report info ci2-linux-4-14 KASAN: use-after-free Write in padata_parallel_worker
2021/01/11 13:58 linux-4.14.y ec822b3e8bf4 2c1f2513 .config console log report info ci2-linux-4-14
2021/01/08 10:29 linux-4.14.y 1752938529c6 c104d4a3 .config console log report info ci2-linux-4-14
2020/11/10 08:41 linux-4.14.y 6b6446efedb2 cca87986 .config console log report info ci2-linux-4-14
2020/11/09 14:23 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/11/08 11:12 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/11/02 22:06 linux-4.14.y 2b7915014161 7f344fa6 .config console log report info ci2-linux-4-14
2020/11/02 09:00 linux-4.14.y 2b7915014161 8bc4594f .config console log report info ci2-linux-4-14
2020/10/13 08:54 linux-4.14.y cbfa1702aaf6 bd69ee0d .config console log report info ci2-linux-4-14
2020/09/14 07:31 linux-4.14.y cbfa1702aaf6 2d3cdd63 .config console log report ci2-linux-4-14
2020/07/05 06:01 linux-4.14.y b850307b279c 24d7f505 .config console log report ci2-linux-4-14
2020/05/01 11:37 linux-4.14.y 050272a0423e 143a10e9 .config console log report ci2-linux-4-14
2020/03/06 03:02 linux-4.14.y 78d697fc93f9 b655d91b .config console log report ci2-linux-4-14
2019/10/31 17:56 linux-4.14.y ddef1e8e3f6e a41ca8fa .config console log report ci2-linux-4-14
2019/09/09 16:57 linux-4.14.y 414510bc00a5 a60cb4cd .config console log report ci2-linux-4-14
2019/08/30 07:44 linux-4.14.y 01fd1694b93c cd626f3b .config console log report ci2-linux-4-14
2019/08/22 17:26 linux-4.14.y 45f092f9e9cb c6c81a0b .config console log report ci2-linux-4-14
2019/07/21 11:25 linux-4.14.y ff33472c282e 1656845f .config console log report ci2-linux-4-14
2019/06/10 22:36 linux-4.14.y e6a95d8851f1 0159583c .config console log report ci2-linux-4-14
2019/06/10 18:56 linux-4.14.y e6a95d8851f1 0159583c .config console log report ci2-linux-4-14
2019/05/02 15:02 linux-4.14.y 1c046f373132 1852eb18 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.