Reminder: 17 open syzbot bugs in "net/tls" subsystem

From: Eric Biggers
Date: Tue Jun 25 2019 - 01:50:26 EST

[This email was generated by a script. Let me know if you have any suggestions
to make it better.]

Of the currently open syzbot reports against the upstream kernel, I've manually
marked 17 of them as possibly being bugs in the "net/tls" subsystem. I've
listed these reports below, sorted by an algorithm that tries to list first the
reports most likely to be still valid, important, and actionable.

Of these 17 bugs, 7 were seen in mainline in the last week.

Of these 17 bugs, 6 were bisected to commits from the following people:

Dave Watson <davejwatson@xxxxxx>
Vakul Garg <vakul.garg@xxxxxxx>
Boris Pismenny <borisp@xxxxxxxxxxxx>
Daniel Borkmann <daniel@xxxxxxxxxxxxx>

If you believe a bug is no longer valid, please close the syzbot report by
sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
original thread, as explained at https://goo.gl/tpsmEJ#status

If you believe I misattributed a bug to the "net/tls" subsystem, please let me
know, and if possible forward the report to the correct people or mailing list.

Here are the bugs:

--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in tls_write_space
Last occurred: 0 days ago
Reported: 353 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=3ff26cb6000860a73428556d7df314541369c939
Original thread: https://lkml.kernel.org/lkml/0000000000003dab1605704fb71d@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+2134b6b74dec9f8c760f@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000003dab1605704fb71d@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KMSAN: uninit-value in gf128mul_4k_lle (3)
Last occurred: 0 days ago
Reported: 213 days ago
Branches: Mainline (with KMSAN patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=a01db4c67933e9e4be8e721a8ee15a9530f1ac04
Original thread: https://lkml.kernel.org/lkml/000000000000bf2457057b5ccda3@xxxxxxxxxx/T/#u

This bug has a C reproducer.

The original thread for this bug received 2 replies; the last was 208 days ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+f8495bff23a879a6d0bd@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000bf2457057b5ccda3@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: INFO: task hung in tls_sw_free_resources_tx
Last occurred: 6 days ago
Reported: 202 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=44ae4b4fa7e6c6e92aa921d2ec20ce9fbee97939
Original thread: https://lkml.kernel.org/lkml/000000000000cab053057c2e5202@xxxxxxxxxx/T/#u

This bug has a C reproducer.

This bug was bisected to:

commit 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
Author: Dave Watson <davejwatson@xxxxxx>
Date: Wed Jun 14 18:37:39 2017 +0000

  tls: kernel TLS support

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+503339bf3c9053b8a7fc@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000cab053057c2e5202@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: INFO: task hung in __flush_work
Last occurred: 0 days ago
Reported: 128 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=9613d8dffb5c6cc39da8ec290cb8f3eb62bdf21f
Original thread: https://lkml.kernel.org/lkml/0000000000008f9c780581fd7417@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+aa0b64a57e300a1c6bcc@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000008f9c780581fd7417@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: kernel BUG at include/linux/scatterlist.h:LINE!
Last occurred: 1 day ago
Reported: 33 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=effb623cefb879664122cc47df3af728957eb279
Original thread: https://lkml.kernel.org/lkml/000000000000f41cd905897c075e@xxxxxxxxxx/T/#u

This bug has a C reproducer.

This bug was bisected to:

commit f295b3ae9f5927e084bd5decdff82390e3471801
Author: Vakul Garg <vakul.garg@xxxxxxx>
Date: Wed Mar 20 02:03:36 2019 +0000

  net/tls: Add support of AES128-CCM based ciphers

The original thread for this bug has received 1 reply, 14 days ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+df0d4ec12332661dd1f9@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please reply to the original
thread, which had activity only 14 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lkml.kernel.org/r/000000000000f41cd905897c075e@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: kernel BUG at ./include/linux/scatterlist.h:LINE!
Last occurred: 5 days ago
Reported: 4 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=3008161aab5958fe4125a4cae3e4b7ad3ea50a26
Original thread: https://lkml.kernel.org/lkml/000000000000417551058bc0bef9@xxxxxxxxxx/T/#u

This bug has a C reproducer.

This bug was bisected to:

commit f295b3ae9f5927e084bd5decdff82390e3471801
Author: Vakul Garg <vakul.garg@xxxxxxx>
Date: Wed Mar 20 02:03:36 2019 +0000

  net/tls: Add support of AES128-CCM based ciphers

No one has replied to the original thread for this bug yet.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+ef0daa6ce95facb233c1@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000417551058bc0bef9@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: kernel BUG at include/linux/mm.h:LINE! (5)
Last occurred: 42 days ago
Reported: 112 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=c14d620a28ea77843c2632f5b05b315c44a2dd06
Original thread: https://lkml.kernel.org/lkml/00000000000054cc6d05834c33d7@xxxxxxxxxx/T/#u

This bug has a C reproducer.

This bug was bisected to:

commit 94850257cf0f88b20db7644f28bfedc7d284de15
Author: Boris Pismenny <borisp@xxxxxxxxxxxx>
Date: Wed Feb 27 15:38:03 2019 +0000

  tls: Fix tls_device handling of partial records

The original thread for this bug received 1 reply, 111 days ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+5013d47539cdd43e7098@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000054cc6d05834c33d7@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING: ODEBUG bug in tls_sw_free_resources_tx
Last occurred: 7 days ago
Reported: 230 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=f4b5189b77d5defcd01b7177411ebb8717b7ca45
Original thread: https://lkml.kernel.org/lkml/00000000000062c5c3057a095d25@xxxxxxxxxx/T/#u

Unfortunately, this bug does not have a reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+70ab6a1f8151888c4ea0@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000062c5c3057a095d25@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: memory leak in create_ctx
Last occurred: 16 days ago
Reported: 16 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=3497d93558e378dec6f6583bedd163778c79d0dd
Original thread: https://lkml.kernel.org/lkml/000000000000a420af058ad4bca2@xxxxxxxxxx/T/#u

This bug has a syzkaller reproducer only.

The original thread for this bug has received 5 replies; the last was 10 days
ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+06537213db7ba2745c4a@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please reply to the original
thread, which had activity only 10 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lkml.kernel.org/r/000000000000a420af058ad4bca2@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING in sk_stream_kill_queues (3)
Last occurred: 16 days ago
Reported: 375 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=1557fb40b5ed0a1ed2ba18268e04da194674d770
Original thread: https://lkml.kernel.org/lkml/000000000000013b0d056e997fec@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+13e1ee9caeab5a9abc62@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000013b0d056e997fec@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in generic_gcmaes_encrypt
Last occurred: 145 days ago
Reported: 271 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=27ba7fbc34f9b61adecf2615022db00a6fb61211
Original thread: https://lkml.kernel.org/lkml/000000000000d014010576cc00f4@xxxxxxxxxx/T/#u

This bug has a C reproducer.

This bug was bisected to:

commit a42055e8d2c30d4decfc13ce943d09c7b9dad221
Author: Vakul Garg <vakul.garg@xxxxxxx>
Date: Fri Sep 21 04:16:13 2018 +0000

  net/tls: Add support for async encryption of records for performance

The original thread for this bug received 2 replies; the last was 270 days ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+6d3612ba5e254e387153@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000d014010576cc00f4@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: general protection fault in tcp_cleanup_ulp
Last occurred: 276 days ago
Reported: 291 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=24f95d3de36dd102ee36510385eec785fe08ad0d
Original thread: https://lkml.kernel.org/lkml/00000000000006602605752ffa1a@xxxxxxxxxx/T/#u

This bug has a syzkaller reproducer only.

This bug was bisected to:

commit 90545cdc3f2b2ea700e24335610cd181e73756da
Author: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Date: Thu Aug 16 19:49:07 2018 +0000

  tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+0b3ccd4f62dac2cf3a7d@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000006602605752ffa1a@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: INFO: task hung in tls_sw_sendmsg
Last occurred: 5 days ago
Reported: 105 days ago
Branches: net and net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=706f5d1339aa1c10348c96d852da1c1e34e5b7bd
Original thread: https://lkml.kernel.org/lkml/0000000000006a71990583cd3d9c@xxxxxxxxxx/T/#u

Unfortunately, this bug does not have a reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+8a6df99c3b1812093b70@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000006a71990583cd3d9c@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in crypto_gcm_init_common
Last occurred: 165 days ago
Reported: 230 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=979d00397272e11bc334ec842074d314bde41b90
Original thread: https://lkml.kernel.org/lkml/00000000000060e0ae057a092be8@xxxxxxxxxx/T/#u

This bug has a C reproducer.

syzbot has bisected this bug, but I think the bisection result is incorrect.

The original thread for this bug received 2 replies; the last was 62 days ago.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+e736399a2c4054612307@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000060e0ae057a092be8@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in timer_is_static_object (2)
Last occurred: 14 days ago
Reported: 40 days ago
Branches: net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=aa9951fb518f1e883b28a0675789ff2fc82c8bf5
Original thread: https://lkml.kernel.org/lkml/000000000000f29ffd0588e669d4@xxxxxxxxxx/T/#u

Unfortunately, this bug does not have a reproducer.

No one has replied to the original thread for this bug yet.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+81215bf96c82318c7e74@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000f29ffd0588e669d4@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in tls_push_sg
Last occurred: 38 days ago
Reported: 38 days ago
Branches: net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=244990e1ccfdb940c14114668b0a967198582f04
Original thread: https://lkml.kernel.org/lkml/0000000000000d1491058919b662@xxxxxxxxxx/T/#u

Unfortunately, this bug does not have a reproducer.

No one has replied to the original thread for this bug yet.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+66fbe4719f6ef22754ee@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000000d1491058919b662@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: slab-out-of-bounds Read in tls_write_space
Last occurred: 272 days ago
Reported: 272 days ago
Branches: linux-next and net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=748ab8de777f23e8265027741072c68feb62a527
Original thread: https://lkml.kernel.org/lkml/0000000000000a5b840576bad225@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+12638b747fd208f6cff0@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000000a5b840576bad225@xxxxxxxxxx