Hello,
syzbot found the following crash on:
HEAD commit: 1c046f37 Linux 4.14.115
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=16d64670a00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=453b2eab9a394b3e
dashboard link:
https://syzkaller.appspot.com/bug?extid=51df2d83e8ab39e40323
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+51df2d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x328/0x3c0
kernel/padata.c:74
Write of size 8 at addr ffff8880684a4898 by task kworker/0:3/6774
CPU: 0 PID: 6774 Comm: kworker/0:3 Not tainted 4.14.115 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x11e/0x2db mm/kasan/report.c:393
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
padata_parallel_worker+0x328/0x3c0 kernel/padata.c:74
process_one_work+0x868/0x1610 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x31c/0x430 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc08/0x1210 net/tls/tls_sw.c:293
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880684a4840
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
256-byte region [ffff8880684a4840, ffff8880684a4940)
The buggy address belongs to the page:
page:ffffea0001a12900 count:1 mapcount:0 mapping:ffff8880684a40c0
index:0xffff8880684a4ac0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880684a40c0 ffff8880684a4ac0 000000010000000b
raw: ffffea0002978ea0 ffffea00022b2960 ffff8880aa8007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880684a4780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8880684a4800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8880684a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880684a4900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880684a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.