KASAN: use-after-free Read in tls_write

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in tls_write_space net	C			924	1722d	2118d	0/26	closed as dup on 2019/08/19 21:22
linux-4.14	KASAN: use-after-free Read in tls_write_space	C		error	283	670d	1823d	0/1	upstream: reported C repro on 2019/04/26 18:51

upstream

KASAN: use-after-free Read in tls_write_space net

924

1722d

2118d

0/26

closed as dup on 2019/08/19 21:22

linux-4.14

KASAN: use-after-free Read in tls_write_space

error

283

670d

1823d

0/1

upstream: reported C repro on 2019/04/26 18:51


Created	Duration	User	Repo	Result
2021/01/29 01:01	5h04m	bisect fix	linux-4.19.y	job log (1)
2020/12/30 00:32	28m	bisect fix	linux-4.19.y	job log (0) log
2020/11/29 14:59	31m	bisect fix	linux-4.19.y	job log (0) log
2020/10/30 13:16	30m	bisect fix	linux-4.19.y	job log (0) log
2020/09/30 12:45	31m	bisect fix	linux-4.19.y	job log (0) log
2020/08/31 12:11	34m	bisect fix	linux-4.19.y	job log (0) log
2020/08/01 11:37	33m	bisect fix	linux-4.19.y	job log (0) log
2020/07/02 11:07	30m	bisect fix	linux-4.19.y	job log (0) log
2020/06/02 09:55	31m	bisect fix	linux-4.19.y	job log (0) log
2020/05/03 09:22	32m	bisect fix	linux-4.19.y	job log (0) log
2020/04/03 08:52	30m	bisect fix	linux-4.19.y	job log (0) log
2020/03/04 08:18	33m	bisect fix	linux-4.19.y	job log (0) log
2020/02/03 07:39	32m	bisect fix	linux-4.19.y	job log (0) log
2020/01/04 07:07	31m	bisect fix	linux-4.19.y	job log (0) log
2019/12/05 06:36	31m	bisect fix	linux-4.19.y	job log (0) log

RDX: 000000000000fdef RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000001 R09: 00007fff6d160033 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ec0 R13: 0000000000401f50 R14: 0000000000000000 R15: 0000000000000000 ================================================================== BUG: KASAN: use-after-free in tls_write_space+0x2b2/0x310 net/tls/tls_main.c:220 Read of size 1 at addr ffff88809ecae8a0 by task syz-executor758/8044 CPU: 1 PID: 8044 Comm: syz-executor758 Not tainted 4.19.48 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tls_write_space+0x2b2/0x310 net/tls/tls_main.c:220 tcp_new_space net/ipv4/tcp_input.c:5141 [inline] tcp_check_space+0x430/0x720 net/ipv4/tcp_input.c:5152 tcp_data_snd_check net/ipv4/tcp_input.c:5162 [inline] tcp_rcv_established+0x9e9/0x1f10 net/ipv4/tcp_input.c:5653 tcp_v4_do_rcv+0x616/0x8d0 net/ipv4/tcp_ipv4.c:1535 sk_backlog_rcv include/net/sock.h:941 [inline] __release_sock+0x129/0x3a0 net/core/sock.c:2337 release_sock+0x59/0x1c0 net/core/sock.c:2853 tls_sk_proto_close+0x691/0xa20 net/tls/tls_main.c:309 inet_release+0xff/0x1e0 net/ipv4/af_inet.c:428 __sock_release+0x1f4/0x2a0 net/socket.c:579 sock_release+0x18/0x20 net/socket.c:599 smc_release+0x2c1/0x810 net/smc/af_smc.c:156 __sock_release+0xce/0x2a0 net/socket.c:579 sock_close+0x1b/0x30 net/socket.c:1140 __fput+0x2dd/0x8b0 fs/file_table.c:278 ____fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x145/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x933/0x2fa0 kernel/exit.c:876 do_group_exit+0x135/0x370 kernel/exit.c:979 __do_sys_exit_group kernel/exit.c:990 [inline] __se_sys_exit_group kernel/exit.c:988 [inline] __x64_sys_exit_group+0x44/0x50 kernel/exit.c:988 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43f298 Code: Bad RIP value. RSP: 002b:00007fff6d16b188 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f298 RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 8044: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] create_ctx+0x46/0x1f0 net/tls/tls_main.c:550 tls_init+0x158/0x7a0 net/tls/tls_main.c:683 tcp_set_ulp+0x216/0x5f0 net/ipv4/tcp_ulp.c:155 do_tcp_setsockopt.isra.0+0x321/0x2320 net/ipv4/tcp.c:2750 tcp_setsockopt+0xbe/0xe0 net/ipv4/tcp.c:3064 sock_common_setsockopt+0x94/0xd0 net/core/sock.c:3044 smc_setsockopt+0xcb/0x790 net/smc/af_smc.c:1652 __sys_setsockopt+0x17a/0x280 net/socket.c:1901 __do_sys_setsockopt net/socket.c:1912 [inline] __se_sys_setsockopt net/socket.c:1909 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1909 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8044: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 tls_ctx_free.part.0+0x32/0x40 net/tls/tls_main.c:251 tls_ctx_free net/tls/tls_main.c:246 [inline] tls_sk_proto_close+0x684/0xa20 net/tls/tls_main.c:304 inet_release+0xff/0x1e0 net/ipv4/af_inet.c:428 __sock_release+0x1f4/0x2a0 net/socket.c:579 sock_release+0x18/0x20 net/socket.c:599 smc_release+0x2c1/0x810 net/smc/af_smc.c:156 __sock_release+0xce/0x2a0 net/socket.c:579 sock_close+0x1b/0x30 net/socket.c:1140 __fput+0x2dd/0x8b0 fs/file_table.c:278 ____fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x145/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x933/0x2fa0 kernel/exit.c:876 do_group_exit+0x135/0x370 kernel/exit.c:979 __do_sys_exit_group kernel/exit.c:990 [inline] __se_sys_exit_group kernel/exit.c:988 [inline] __x64_sys_exit_group+0x44/0x50 kernel/exit.c:988 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809ecae7c0 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 224 bytes inside of 512-byte region [ffff88809ecae7c0, ffff88809ecae9c0) The buggy address belongs to the page: page:ffffea00027b2b80 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea00026d1a08 ffffea00027c1748 ffff88812c3f0940 raw: 0000000000000000 ffff88809ecae040 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809ecae780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff88809ecae800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88809ecae880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809ecae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809ecae980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================

Crashes (25):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2019/06/05 18:48	linux-4.19.y	e109a984cf38	bfb4a51e	.config	console log	report	syz	C	ci2-linux-4-19
2019/08/03 15:10	linux-4.19.y	9a9de33a9dfa	6affd8e8	.config	console log	report	syz		ci2-linux-4-19
2019/04/14 20:25	linux-4.19.y	4d552acf3370	505ab413	.config	console log	report	syz		ci2-linux-4-19
2019/09/05 09:58	linux-4.19.y	97ab07e11fbf	040fda58	.config	console log	report			ci2-linux-4-19
2019/09/02 17:02	linux-4.19.y	97ab07e11fbf	14544a56	.config	console log	report			ci2-linux-4-19
2019/09/02 16:53	linux-4.19.y	97ab07e11fbf	14544a56	.config	console log	report			ci2-linux-4-19
2019/09/02 16:15	linux-4.19.y	97ab07e11fbf	14544a56	.config	console log	report			ci2-linux-4-19
2019/09/02 03:06	linux-4.19.y	97ab07e11fbf	bad3cce2	.config	console log	report			ci2-linux-4-19
2019/08/30 20:17	linux-4.19.y	97ab07e11fbf	9adfa876	.config	console log	report			ci2-linux-4-19
2019/08/28 17:46	linux-4.19.y	def4c11b3131	1eb076e9	.config	console log	report			ci2-linux-4-19
2019/08/28 06:25	linux-4.19.y	def4c11b3131	fd37b39e	.config	console log	report			ci2-linux-4-19
2019/08/27 05:44	linux-4.19.y	def4c11b3131	d21c5d9d	.config	console log	report			ci2-linux-4-19
2019/08/26 08:35	linux-4.19.y	def4c11b3131	d21c5d9d	.config	console log	report			ci2-linux-4-19
2019/08/23 01:57	linux-4.19.y	a5aa80588fcd	ca6f3cfa	.config	console log	report			ci2-linux-4-19
2019/08/21 23:05	linux-4.19.y	a5aa80588fcd	4ea67ff8	.config	console log	report			ci2-linux-4-19
2019/08/21 12:32	linux-4.19.y	a5aa80588fcd	4ea67ff8	.config	console log	report			ci2-linux-4-19
2019/08/19 08:00	linux-4.19.y	a5aa80588fcd	b8ceabfc	.config	console log	report			ci2-linux-4-19
2019/07/29 20:24	linux-4.19.y	64f4694072aa	f67095ee	.config	console log	report			ci2-linux-4-19
2019/07/24 05:02	linux-4.19.y	be9b6782a9eb	de453f34	.config	console log	report			ci2-linux-4-19
2019/06/27 10:04	linux-4.19.y	aec3002d07fd	7509bf36	.config	console log	report			ci2-linux-4-19
2019/06/19 02:17	linux-4.19.y	6500aa436df4	34bf9440	.config	console log	report			ci2-linux-4-19
2019/06/11 06:17	linux-4.19.y	bb7b450e61a1	0159583c	.config	console log	report			ci2-linux-4-19
2019/06/09 20:53	linux-4.19.y	bb7b450e61a1	0159583c	.config	console log	report			ci2-linux-4-19
2019/06/09 16:00	linux-4.19.y	bb7b450e61a1	0159583c	.config	console log	report			ci2-linux-4-19
2019/06/05 18:16	linux-4.19.y	e109a984cf38	bfb4a51e	.config	console log	report			ci2-linux-4-19

Crashes (25):

Assets (help?)

2019/06/05 18:48

linux-4.19.y