KASAN: use-after-free Write in padata_serial_worker

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: e6a95d88 Linux 4.14.124
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1543b0f1a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab7251aa14ac721d
dashboard link: https://syzkaller.appspot.com/bug?extid=3565b7e06c0e4fee4a9b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3565b7...@syzkaller.appspotmail.com

RDX: 0000000000000001 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd7544ae6d4
R13: 00000000004c700b R14: 00000000004dc1c8 R15: 0000000000000004
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_serial_worker+0x362/0x400
kernel/padata.c:296
Write of size 8 at addr ffff888096bf6d18 by task kworker/1:0/18

CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.14.124 #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_serial_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
padata_serial_worker+0x362/0x400 kernel/padata.c:296
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 17313:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 17313:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc03/0x1210 net/tls/tls_sw.c:293
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff888096bf6cc0
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
256-byte region [ffff888096bf6cc0, ffff888096bf6dc0)
The buggy address belongs to the page:
page:ffffea00025afd80 count:1 mapcount:0 mapping:ffff888096bf6040
index:0xffff888096bf6540
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888096bf6040 ffff888096bf6540 0000000100000006
raw: ffffea00025bbca0 ffffea00020988e0 ffff8880aa8007c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888096bf6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888096bf6c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff888096bf6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888096bf6d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888096bf6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 414510bc Linux 4.14.142
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=128a5e5e600000
kernel config: https://syzkaller.appspot.com/x/.config?x=9aa0b2ccd827f416

dashboard link: https://syzkaller.appspot.com/bug?extid=3565b7e06c0e4fee4a9b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16dff14e600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c87b71600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3565b7...@syzkaller.appspotmail.com

audit: type=1400 audit(1568053150.491:36): avc: denied { map } for
pid=7025 comm="syz-executor133" path="/root/syz-executor133608442"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.

==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_serial_worker+0x362/0x400

kernel/padata.c:301
Write of size 8 at addr ffff8880990aab18 by task kworker/1:1/23

CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.142 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_serial_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]

dump_stack+0x138/0x197 lib/dump_stack.c:53

print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]

padata_serial_worker+0x362/0x400 kernel/padata.c:301

process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 7025:

save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7025:

save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc03/0x1210 net/tls/tls_sw.c:293
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8880990aaac0

which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of

256-byte region [ffff8880990aaac0, ffff8880990aabc0)

The buggy address belongs to the page:

page:ffffea0002642a80 count:1 mapcount:0 mapping:ffff8880990aa0c0
index:0xffff8880990aad40
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880990aa0c0 ffff8880990aad40 0000000100000004
raw: ffffea00026604a0 ffffea0002795020 ffff8880aa8007c0 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880990aaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880990aaa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8880990aab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880990aab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880990aac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================