==================================================================
BUG: KASAN: use-after-free in key_task_permission+0x365/0x460 security/keys/permission.c:54
Read of size 4 at addr ffff888112aba380 by task syz-executor.2/20908
CPU: 1 PID: 20908 Comm: syz-executor.2 Not tainted 5.10.204-syzkaller-01048-gf7977422e132 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
key_task_permission+0x365/0x460 security/keys/permission.c:54
search_nested_keyrings+0x93d/0x1170 security/keys/keyring.c:793
keyring_search_rcu+0x18e/0x290 security/keys/keyring.c:922
search_cred_keyrings_rcu+0x499/0x5f0 security/keys/process_keys.c:501
search_process_keyrings_rcu+0x21/0x280 security/keys/process_keys.c:544
request_key_and_link+0x33c/0x1450 security/keys/request_key.c:618
__do_sys_request_key security/keys/keyctl.c:222 [inline]
__se_sys_request_key+0x26d/0x3b0 security/keys/keyctl.c:167
__x64_sys_request_key+0x9b/0xb0 security/keys/keyctl.c:167
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fa0f8224ce9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa0f6fa70c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f9
RAX: ffffffffffffffda RBX: 00007fa0f8343f80 RCX: 00007fa0f8224ce9
RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 00007fa0f827147a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa0f8343f80 R15: 00007ffcbcd64358
Allocated by task 16544:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:430 [inline]
____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518
kasan_kmalloc include/linux/kasan.h:254 [inline]
kmem_cache_alloc_trace+0x18a/0x2e0 mm/slub.c:2974
kmalloc include/linux/slab.h:552 [inline]
tipc_dest_push net/tipc/name_table.c:1120 [inline]
tipc_nametbl_mc_lookup+0x574/0xb10 net/tipc/name_table.c:658
tipc_sk_mcast_rcv+0x590/0x10b0 net/tipc/socket.c:1232
tipc_mcast_xmit+0x144a/0x1b30 net/tipc/bcast.c:424
tipc_send_group_bcast+0x843/0xb50 net/tipc/socket.c:1114
__tipc_sendmsg+0x1364/0x3ab0
tipc_sendmsg+0x55/0x70 net/tipc/socket.c:1391
sock_sendmsg_nosec net/socket.c:652 [inline]
__sock_sendmsg net/socket.c:664 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2374
___sys_sendmsg+0x252/0x2e0 net/socket.c:2428
__sys_sendmmsg+0x2c3/0x510 net/socket.c:2514
__do_sys_sendmmsg net/socket.c:2543 [inline]
__se_sys_sendmmsg net/socket.c:2540 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2540
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
Freed by task 93:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:362
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
kasan_slab_free include/linux/kasan.h:220 [inline]
slab_free_hook mm/slub.c:1595 [inline]
slab_free_freelist_hook+0xc0/0x190 mm/slub.c:1621
slab_free mm/slub.c:3203 [inline]
kfree+0xc3/0x270 mm/slub.c:4191
security_inode_init_security+0x2c0/0x390 security/security.c:1036
shmem_mknod+0xb8/0x1c0 mm/shmem.c:2902
shmem_create+0x2b/0x40 mm/shmem.c:2957
lookup_open fs/namei.c:3253 [inline]
open_last_lookups fs/namei.c:3323 [inline]
path_openat+0x1377/0x3000 fs/namei.c:3512
do_filp_open+0x21c/0x460 fs/namei.c:3542
do_sys_openat2+0x13f/0x6f0 fs/open.c:1217
do_sys_open fs/open.c:1233 [inline]
__do_sys_openat fs/open.c:1249 [inline]
__se_sys_openat fs/open.c:1244 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1244
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
The buggy address belongs to the object at ffff888112aba380
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff888112aba380, ffff888112aba3a0)
The buggy address belongs to the page:
page:ffffea00044aae80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112aba
flags: 0x4000000000000200(slab)
raw: 4000000000000200 ffffea00044f8940 0000000200000002 ffff888100043980
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 17206, ts 1673795342646, free_ts 1673787154598
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2456 [inline]
prep_new_page+0x166/0x180 mm/page_alloc.c:2462
get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
__alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5346
allocate_slab mm/slub.c:1808 [inline]
new_slab+0x80/0x400 mm/slub.c:1869
new_slab_objects mm/slub.c:2627 [inline]
___slab_alloc+0x302/0x4b0 mm/slub.c:2791
__slab_alloc+0x63/0xa0 mm/slub.c:2831
slab_alloc_node mm/slub.c:2913 [inline]
slab_alloc mm/slub.c:2955 [inline]
kmem_cache_alloc_trace+0x1bd/0x2e0 mm/slub.c:2972
kmalloc include/linux/slab.h:552 [inline]
tipc_dest_push net/tipc/name_table.c:1120 [inline]
tipc_nametbl_mc_lookup+0x574/0xb10 net/tipc/name_table.c:658
tipc_sk_mcast_rcv+0x590/0x10b0 net/tipc/socket.c:1232
tipc_mcast_xmit+0x144a/0x1b30 net/tipc/bcast.c:424
tipc_send_group_bcast+0x843/0xb50 net/tipc/socket.c:1114
__tipc_sendmsg+0x1364/0x3ab0
tipc_sendmsg+0x55/0x70 net/tipc/socket.c:1391
sock_sendmsg_nosec net/socket.c:652 [inline]
__sock_sendmsg net/socket.c:664 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2374
___sys_sendmsg+0x252/0x2e0 net/socket.c:2428
__sys_sendmmsg+0x2c3/0x510 net/socket.c:2514
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1349 [inline]
free_pcp_prepare mm/page_alloc.c:1421 [inline]
free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336
free_unref_page mm/page_alloc.c:3391 [inline]
free_the_page+0x9e/0x370 mm/page_alloc.c:5405
__free_pages+0x67/0xc0 mm/page_alloc.c:5416
__free_slab+0xcf/0x190 mm/slub.c:1894
free_slab mm/slub.c:1909 [inline]
discard_slab mm/slub.c:1915 [inline]
unfreeze_partials+0x15e/0x190 mm/slub.c:2410
put_cpu_partial+0xbf/0x180 mm/slub.c:2446
__slab_free+0x2c8/0x3a0 mm/slub.c:3095
do_slab_free mm/slub.c:3191 [inline]
___cache_free+0x111/0x130 mm/slub.c:3210
qlink_free+0x50/0x90 mm/kasan/quarantine.c:157
qlist_free_all+0x47/0xb0 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:440
kasan_slab_alloc include/linux/kasan.h:244 [inline]
slab_post_alloc_hook+0x61/0x2f0 mm/slab.h:583
slab_alloc_node mm/slub.c:2947 [inline]
slab_alloc mm/slub.c:2955 [inline]
kmem_cache_alloc+0x168/0x2e0 mm/slub.c:2960
kmem_cache_alloc_node include/linux/slab.h:423 [inline]
__alloc_skb+0x80/0x510 net/core/skbuff.c:199
alloc_skb_fclone include/linux/skbuff.h:1176 [inline]
tipc_buf_acquire net/tipc/msg.c:74 [inline]
tipc_msg_build+0x13e/0x1040 net/tipc/msg.c:390
Memory state around the buggy address:
ffff888112aba280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff888112aba300: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc
>ffff888112aba380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff888112aba400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff888112aba480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#2] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 20908 Comm: syz-executor.2 Tainted: G B D 5.10.204-syzkaller-01048-gf7977422e132 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:selinux_key_permission+0xff/0x190 security/selinux/hooks.c:6685
Code: 8b 23 49 83 e7 fe 49 83 c7 68 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 2b db 79 ff 49 8b 1f 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 75 68 8b 13 48 c7 c7 a0 a4 0e 87 44 89 e6 b9
RSP: 0018:ffffc900064bf720 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff822e37b5
RDX: 0000000000000000 RSI: 0000000000000286 RDI: ffff888112aba368
RBP: ffffc900064bf748 R08: 0000000000000005 R09: ffffffff822e36ea
R10: 000000000000000a R11: ffff888196da3b40 R12: 0000000000000082
R13: dffffc0000000000 R14: 0000000000000008 R15: ffff888112aba368
FS: 00007fa0f6fa76c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000114db9000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
security_key_permission+0x72/0xb0 security/security.c:2454
key_task_permission+0x332/0x460 security/keys/permission.c:90
search_nested_keyrings+0x93d/0x1170 security/keys/keyring.c:793
keyring_search_rcu+0x18e/0x290 security/keys/keyring.c:922
search_cred_keyrings_rcu+0x499/0x5f0 security/keys/process_keys.c:501
search_process_keyrings_rcu+0x21/0x280 security/keys/process_keys.c:544
request_key_and_link+0x33c/0x1450 security/keys/request_key.c:618
__do_sys_request_key security/keys/keyctl.c:222 [inline]
__se_sys_request_key+0x26d/0x3b0 security/keys/keyctl.c:167
__x64_sys_request_key+0x9b/0xb0 security/keys/keyctl.c:167
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fa0f8224ce9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa0f6fa70c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f9
RAX: ffffffffffffffda RBX: 00007fa0f8343f80 RCX: 00007fa0f8224ce9
RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 00007fa0f827147a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa0f8343f80 R15: 00007ffcbcd64358
Modules linked in:
---[ end trace 5447894fcf0d29aa ]---
RIP: 0010:selinux_key_permission+0xff/0x190 security/selinux/hooks.c:6685
----------------
Code disassembly (best guess):
0: 8b 23 mov (%rbx),%esp
2: 49 83 e7 fe and $0xfffffffffffffffe,%r15
6: 49 83 c7 68 add $0x68,%r15
a: 4c 89 f8 mov %r15,%rax
d: 48 c1 e8 03 shr $0x3,%rax
11: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
16: 74 08 je 0x20
18: 4c 89 ff mov %r15,%rdi
1b: e8 2b db 79 ff call 0xff79db4b
20: 49 8b 1f mov (%r15),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 75 68 jne 0x9b
33: 8b 13 mov (%rbx),%edx
35: 48 c7 c7 a0 a4 0e 87 mov $0xffffffff870ea4a0,%rdi
3c: 44 89 e6 mov %r12d,%esi
3f: b9 .byte 0xb9