bisecting cause commit starting from 90568ecf561540fa330511e21fcd823b0c3829c6 building syzkaller on 06150bf1b39b70e521560bc943ac19b281903ebc testing commit 90568ecf561540fa330511e21fcd823b0c3829c6 with gcc (GCC) 8.1.0 kernel signature: 253b6196983c64c419271662e611f5ba45cdb626a2c0039931826bd85f1e6dc7 all runs: crashed: INFO: task hung in tls_sw_cancel_work_tx testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: dafa24d83556c96d31a116a955d4107262c09759cd998a370785eb706de54d2c all runs: crashed: INFO: task hung in tls_sw_cancel_work_tx testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: ec3ab500e9349af120ca67a226dc434e5a8f584f696d7985b374c7f09d19c3c5 all runs: crashed: INFO: task hung in tls_sw_cancel_work_tx testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 7412663b5039cc47f26f5c081301839556286490e823317257e70f15bfcefb03 all runs: crashed: INFO: task hung in tls_sw_cancel_work_tx testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 25c32065b0c8b3bd62bbaa61118dc8b8100c60bf6dc0b8c8b7130fec65e9421f all runs: crashed: INFO: task hung in tls_sw_free_resources_tx testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: 36bcceef6e408ef239fa13ba4cfe61213344b5631e019eccb0fd4a7d57aac998 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 4207f64646eb6ef67cc906e605952283e4e2eea94ee1d3c34470d4395546b9d0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 61c469544e88968fd4e8af987f301cb12d1d7d134fa02d5123d1500e149c8380 run #0: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #1: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #2: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #3: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #4: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #5: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #6: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #7: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #8: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt run #9: crashed: INFO: task hung in tls_sw_free_resources_tx testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 1f5fc0bd9647a7d567aa2a57232eb23c596c4b42489860e46f3f2182a3ec2639 run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: crashed: general protection fault in batadv_iv_ogm_queue_add run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: 0e2f5e8919102e7cb0b678b33b873e41cde4675d4cc25bc5f036255c4438805b all runs: OK # git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703 Bisecting: 7596 revisions left to test after this (roughly 13 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 kernel signature: c71c3f3a5c30072fee87f9e52690435fea1aac9bbdd4670d54873ec99e4532ff run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 4493 revisions left to test after this (roughly 12 steps) [0a957467c5fd46142bc9c52758ffc552d4c5e2f7] x86: i8259: Add missing include file testing commit 0a957467c5fd46142bc9c52758ffc552d4c5e2f7 with gcc (GCC) 8.1.0 kernel signature: 382e90e90216fa3584c17b7a0c922170a7fa792a10f6abd279cdd8a41cee71ec all runs: OK # git bisect good 0a957467c5fd46142bc9c52758ffc552d4c5e2f7 Bisecting: 2289 revisions left to test after this (roughly 11 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 kernel signature: 8a0231115b20bc7acc12eb26dae6bbc918ebcb367640f06580d63016791ec8bf all runs: OK # git bisect good 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 1167 revisions left to test after this (roughly 10 steps) [ef8e0ff97ae8168ffe1558a5726a8b348c8228a3] Merge tag 'drm-intel-next-2018-07-19' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit ef8e0ff97ae8168ffe1558a5726a8b348c8228a3 with gcc (GCC) 8.1.0 kernel signature: cc928939e92197ac41732282b3d73b42ab61f93dd7d5b0fc038e51e2588ea48b run #0: crashed: KASAN: stack-out-of-bounds Write in scatterwalk_copychunks run #1: crashed: KASAN: use-after-free Write in tls_push_record run #2: crashed: KASAN: stack-out-of-bounds Write in scatterwalk_copychunks run #3: crashed: KASAN: use-after-free Write in tls_push_record run #4: crashed: KASAN: use-after-free Write in tls_push_record run #5: crashed: KASAN: use-after-free Write in tls_push_record run #6: crashed: KASAN: out-of-bounds Write in tls_push_record run #7: crashed: KASAN: out-of-bounds Write in tls_push_record run #8: crashed: KASAN: use-after-free Write in tls_push_record run #9: crashed: KASAN: use-after-free Write in tls_push_record # git bisect bad ef8e0ff97ae8168ffe1558a5726a8b348c8228a3 Bisecting: 560 revisions left to test after this (roughly 9 steps) [e0d018119ae82cbde32c1d4f8e9b8d8f43a3c88a] drm/v3d: Remove unnecessary dma_fence_ops. testing commit e0d018119ae82cbde32c1d4f8e9b8d8f43a3c88a with gcc (GCC) 8.1.0 kernel signature: 930d0dca720122e63c845a6b834a84d3e89782891e3600ef3633c6d8c5f60212 all runs: boot failed: WARNING in drm_connector_init # git bisect skip e0d018119ae82cbde32c1d4f8e9b8d8f43a3c88a Bisecting: 560 revisions left to test after this (roughly 9 steps) [d6258eaa41fc531277d44fbbee670c866025bfdc] drm/amd/display: don't initialize result testing commit d6258eaa41fc531277d44fbbee670c866025bfdc with gcc (GCC) 8.1.0 kernel signature: 88596dca381655d9d1c5b2533859741d77dd83a4b461ec066f2ec50cb5cfe30c run #0: crashed: KASAN: use-after-free Write in tls_push_record run #1: crashed: KASAN: use-after-free Write in tls_push_record run #2: crashed: KASAN: out-of-bounds Write in tls_push_record run #3: crashed: KASAN: out-of-bounds Write in tls_push_record run #4: crashed: KASAN: out-of-bounds Write in tls_push_record run #5: crashed: KASAN: out-of-bounds Write in tls_push_record run #6: crashed: KASAN: use-after-free Write in tls_push_record run #7: crashed: KASAN: use-after-free Write in tls_push_record run #8: crashed: KASAN: use-after-free Write in tls_push_record run #9: crashed: KASAN: use-after-free Write in tls_push_record # git bisect bad d6258eaa41fc531277d44fbbee670c866025bfdc Bisecting: 295 revisions left to test after this (roughly 8 steps) [e1cacec9d50d7299893eeab2d895189f3db625da] drm/i915: Update DRIVER_DATE to 20180620 testing commit e1cacec9d50d7299893eeab2d895189f3db625da with gcc (GCC) 8.1.0 kernel signature: d5609f1d5d7888ee37694b2756fc6fd931a504c2220fd136a82c564c62fc3da2 run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: kernel BUG at include/linux/scatterlist.h:LINE! # git bisect bad e1cacec9d50d7299893eeab2d895189f3db625da Bisecting: 131 revisions left to test after this (roughly 7 steps) [521370106d0d614fca76c7001bf5a82e1250fa27] drm/i915: Change i915_gem_fault() to return vm_fault_t testing commit 521370106d0d614fca76c7001bf5a82e1250fa27 with gcc (GCC) 8.1.0 kernel signature: bebc8d8372c5e901a34af565054a3a2047a029a08940ced6c8b0a599ad6061eb run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #8: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #9: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad 521370106d0d614fca76c7001bf5a82e1250fa27 Bisecting: 65 revisions left to test after this (roughly 6 steps) [8359768c5c325f841473343288fc4d55a256954f] drm/i915: Forward declare struct intel_context testing commit 8359768c5c325f841473343288fc4d55a256954f with gcc (GCC) 8.1.0 kernel signature: c9833ca230324da1071c39607b1b978adc27e980302e28a726d2fdf8b39870c7 all runs: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad 8359768c5c325f841473343288fc4d55a256954f Bisecting: 33 revisions left to test after this (roughly 5 steps) [d6d12ec081776bdea7e0ad58f2a7e7f92e414e7f] drm/i915: Make intel_engine_dump irqsafe testing commit d6d12ec081776bdea7e0ad58f2a7e7f92e414e7f with gcc (GCC) 8.1.0 kernel signature: a7530790ec0ede37b43006ebead6835c2d0a16b1b546dc2e5127f9e0492c1f32 run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad d6d12ec081776bdea7e0ad58f2a7e7f92e414e7f Bisecting: 16 revisions left to test after this (roughly 4 steps) [57877b70739a5d49d95bedf94218ba125e8afef3] drm/i915/execlists: HWACK checking superseded checking port[0].count testing commit 57877b70739a5d49d95bedf94218ba125e8afef3 with gcc (GCC) 8.1.0 kernel signature: e2610cdcdf8af10d09a76a1e021047b31dcda0bf0db852adc5c206e1f036b5f1 run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad 57877b70739a5d49d95bedf94218ba125e8afef3 Bisecting: 7 revisions left to test after this (roughly 3 steps) [73377dbcc754f1e673b60f238c237c5e909f92b1] drm/i915/execlists: Split out CSB processing testing commit 73377dbcc754f1e673b60f238c237c5e909f92b1 with gcc (GCC) 8.1.0 kernel signature: 3eea8bf3cce7cbdbc9cca1af43447345dc2aa8be3876523d52b62a710a5729a3 run #0: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad 73377dbcc754f1e673b60f238c237c5e909f92b1 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f351d087d8329a08eca9e69872c3906c139e1f11] drm/i915: Only sync tasklets once for recursive reset preparation testing commit f351d087d8329a08eca9e69872c3906c139e1f11 with gcc (GCC) 8.1.0 kernel signature: c18fa5c58539bfc38d01eec25ec5e8c01c83368d055b9bf8e38eb1393737b95d run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: kernel BUG at include/linux/scatterlist.h:LINE! # git bisect bad f351d087d8329a08eca9e69872c3906c139e1f11 Bisecting: 1 revision left to test after this (roughly 1 step) [e7f2af7894b1ac76f2062f32724d51f23438249b] drm/i915/dp: fix spelling mistakes: "seqeuncer" and "seqeuencer" testing commit e7f2af7894b1ac76f2062f32724d51f23438249b with gcc (GCC) 8.1.0 kernel signature: 8ed44915dad15c947d9952bb191858af683eda0373d6c368eb023de0b518d549 run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #4: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: KASAN: use-after-free Read in tls_sk_proto_close # git bisect bad e7f2af7894b1ac76f2062f32724d51f23438249b Bisecting: 0 revisions left to test after this (roughly 0 steps) [f75f91574617a3c6fbc821c6b156f5777a59d0ed] drm/i915: Shrink search list for active timelines testing commit f75f91574617a3c6fbc821c6b156f5777a59d0ed with gcc (GCC) 8.1.0 kernel signature: c6c1b707df18449661d1cd8681a11fd8c2454d2a9a2b2e25d79d6c683a235ac1 run #0: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #1: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #2: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #3: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #4: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #5: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #6: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #7: crashed: kernel BUG at include/linux/scatterlist.h:LINE! run #8: crashed: KASAN: use-after-free Read in tls_sk_proto_close run #9: crashed: kernel BUG at include/linux/scatterlist.h:LINE! # git bisect bad f75f91574617a3c6fbc821c6b156f5777a59d0ed f75f91574617a3c6fbc821c6b156f5777a59d0ed is the first bad commit commit f75f91574617a3c6fbc821c6b156f5777a59d0ed Author: Chris Wilson Date: Tue May 15 15:31:49 2018 +0100 drm/i915: Shrink search list for active timelines When switching to the kernel context, we force the switch to occur after all currently active requests (so that we know the GPU won't switch immediately away and the kernel context remains current as we work). To do so we have to inspect all the timelines and add a fence from the active work to queue our switch afterwards. We can use the tracked set of active rings to shrink our search for active timelines. v2: Use a local to shrink the list_for_each_entry() Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20180515143149.4795-1-chris@chris-wilson.co.uk drivers/gpu/drm/i915/i915_gem_context.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) parent commit 01f83786f9ab9c8883ce634cb9a0de51086ad7ea wasn't tested testing commit 01f83786f9ab9c8883ce634cb9a0de51086ad7ea with gcc (GCC) 8.1.0 kernel signature: bf1b61151fd3f7238e49515046fccf8eb003443f5ef53ff4bfe1b5737119412d culprit signature: c6c1b707df18449661d1cd8681a11fd8c2454d2a9a2b2e25d79d6c683a235ac1 parent signature: bf1b61151fd3f7238e49515046fccf8eb003443f5ef53ff4bfe1b5737119412d revisions tested: 25, total time: 5h14m45.240440925s (build: 2h41m6.44665927s, test: 2h31m28.829858809s) first bad commit: f75f91574617a3c6fbc821c6b156f5777a59d0ed drm/i915: Shrink search list for active timelines cc: ["airlied@linux.ie" "chris@chris-wilson.co.uk" "dri-devel@lists.freedesktop.org" "intel-gfx@lists.freedesktop.org" "jani.nikula@linux.intel.com" "joonas.lahtinen@linux.intel.com" "linux-kernel@vger.kernel.org" "rodrigo.vivi@intel.com" "tvrtko.ursulin@intel.com"] crash: kernel BUG at include/linux/scatterlist.h:LINE! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:199! TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: use-after-free in tls_sk_proto_close+0x828/0x900 net/tls/tls_main.c:290 Read of size 1 at addr ffff8800a503d458 by task syz-executor.2/7050 CPU: 1 PID: 7050 Comm: syz-executor.2 Not tainted 4.17.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tls_sk_proto_close+0x828/0x900 net/tls/tls_main.c:290 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:460 sock_release+0x83/0x190 net/socket.c:594 sock_close+0xd/0x20 net/socket.c:1149 __fput+0x232/0x780 fs/file_table.c:209 invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 CPU: 0 PID: 7051 Comm: syz-executor.2 Not tainted 4.17.0-rc3-syzkaller #0 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:166 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:290 RIP: 0010:sg_mark_end include/linux/scatterlist.h:199 [inline] RIP: 0010:tls_push_record+0xef0/0x1660 net/tls/tls_sw.c:234 entry_SYSCALL_64_after_hwframe+0x49/0xbe RSP: 0018:ffff880082d5f9b0 EFLAGS: 00010287 RIP: 0033:0x414f31 RSP: 002b:00007ffe6d4dc420 EFLAGS: 00000293 RAX: 0000000087654321 RBX: ffff88009a82e980 RCX: ffff88009a82ee20 ORIG_RAX: 0000000000000003 RDX: 1ffff10013505dbf RSI: ffff88009a82eb70 RDI: ffff88009a82eb78 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000414f31 RBP: ffff880082d5fa60 R08: ffff880082d5fd28 R09: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000004 R10: ffffed00150cac38 R11: ffff8800a86561c1 R12: ffff8800a561db80 RBP: 0000000000000000 R08: 0000000000760928 R09: ffffffffffffffff R10: 00007ffe6d4dc4f0 R11: 0000000000000293 R12: 000000000075bfc8 R13: ffff88009a82edf8 R14: ffff88008cb20040 R15: 0000000000000017 R13: 0000000000000006 R14: 0000000000760930 R15: 000000000075bfd4 FS: 00007f5ded3df700(0000) GS:ffff8800aec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Allocated by task 7105: CR2: 00007f0c2069e000 CR3: 000000009f603000 CR4: 00000000001406f0 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3620 Call Trace: kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] create_ctx net/tls/tls_main.c:514 [inline] tls_init+0x13a/0x910 net/tls/tls_main.c:626 tcp_set_ulp+0x197/0x480 net/ipv4/tcp_ulp.c:153 tls_sw_sendmsg+0xc5c/0x1110 net/tls/tls_sw.c:484 do_tcp_setsockopt.isra.37+0x2ab/0x2210 net/ipv4/tcp.c:2587 tcp_setsockopt+0x80/0xd0 net/ipv4/tcp.c:2892 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3039 __sys_setsockopt+0x13e/0x210 net/socket.c:1903 inet_sendmsg+0x108/0x440 net/ipv4/af_inet.c:798 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:1911 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:639 entry_SYSCALL_64_after_hwframe+0x49/0xbe __sys_sendto+0x1f2/0x2e0 net/socket.c:1789 Freed by task 7050: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x270 mm/slab.c:3813 tls_sw_free_resources+0x277/0x340 net/tls/tls_sw.c:1037 tls_sk_proto_close+0x558/0x900 net/tls/tls_main.c:281 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:460 sock_release+0x83/0x190 net/socket.c:594 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1797 sock_close+0xd/0x20 net/socket.c:1149 __fput+0x232/0x780 fs/file_table.c:209 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287 ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 entry_SYSCALL_64_after_hwframe+0x49/0xbe tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:166 RIP: 0033:0x45b399 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:290 RSP: 002b:00007f5ded3dec78 EFLAGS: 00000246 entry_SYSCALL_64_after_hwframe+0x49/0xbe ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f5ded3df6d4 RCX: 000000000045b399 The buggy address belongs to the object at ffff8800a503d400 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 88 bytes inside of 256-byte region [ffff8800a503d400, ffff8800a503d500) RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000004 The buggy address belongs to the page: RBP: 000000000075bf20 R08: 0000000000000000 R09: 00000000000000d8 page:ffffea0002940f40 count:1 mapcount:0 mapping:ffff8800a503d040 index:0x0 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff flags: 0xfffe0000000100(slab) R13: 00000000000009d6 R14: 00000000004cb45d R15: 000000000075bf2c raw: 00fffe0000000100 ffff8800a503d040 0000000000000000 000000010000000c Code: raw: ffffea0002940e60 ffffea0002941020 ffff8800aa8007c0 0000000000000000 48 page dumped because: kasan: bad access detected b8 00 Memory state around the buggy address: ffff8800a503d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 00 ffff8800a503d380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 00 >ffff8800a503d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 00 ^ 00 ffff8800a503d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc ffff8800a503d500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ff ================================================================== df