KASAN: use-after-free Read in selinux_inode_free

KASAN: use-after-free Read in selinux_inode_free_security
Status: auto-closed as invalid on 2019/05/27 03:59
Reported-by: syzbot+86876657b7b7291f1b25@syzkaller.appspotmail.com
First crash: 969d, last: 969d

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-44	KASAN: use-after-free Read in selinux_inode_free_security				1	1080d	1080d	0/2	auto-closed as invalid on 2019/02/22 13:59
upstream	KASAN: use-after-free Read in selinux_inode_free_security				1	1267d	1256d	0/22	auto-closed as invalid on 2019/02/22 10:34

Sample crash report:

binder_alloc: binder_alloc_mmap_handler: 6256 20001000-20004000 already mapped failed -16
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
binder: 6256:6264 got transaction to invalid handle
binder: 6256:6264 transaction failed 29201/-22, size 0-0 line 3013
==================================================================
BUG: KASAN: use-after-free in inode_free_security security/selinux/hooks.c:330 [inline]
BUG: KASAN: use-after-free in selinux_inode_free_security+0x219/0x2b0 security/selinux/hooks.c:2830
Read of size 8 at addr ffff8801875b55f8 by task syz-executor3/6255

CPU: 0 PID: 6255 Comm: syz-executor3 Not tainted 4.9.141+ #1
 ffff8801ca7df870 ffffffff81b42e79 ffffea00061d6c00 ffff8801875b55f8
 0000000000000000 ffff8801875b55f8 ffffffff82af3de0 ffff8801ca7df8a8
 ffffffff815009b8 ffff8801875b55f8 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff815009b8>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff81a07049>] inode_free_security security/selinux/hooks.c:330 [inline]
 [<ffffffff81a07049>] selinux_inode_free_security+0x219/0x2b0 security/selinux/hooks.c:2830
 [<ffffffff819e3c96>] security_inode_free+0x56/0x90 security/security.c:356
 [<ffffffff8155ff6e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff8156236e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff81562816>] evict+0x3d6/0x620 fs/inode.c:570
 [<ffffffff81563a01>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff81563a01>] iput+0x371/0x900 fs/inode.c:1543
 [<ffffffff815e4868>] fsnotify_detach_mark+0x2c8/0x410 fs/notify/mark.c:170
 [<ffffffff815e608c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff815e34f2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff815e7967>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208
 [<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
 [<ffffffff8110f6c2>] get_signal+0x1042/0x1460 kernel/signal.c:2151
 [<ffffffff81052aa5>] do_signal+0x95/0x1b00 arch/x86/kernel/signal.c:807
 [<ffffffff81003e2e>] exit_to_usermode_loop+0x10e/0x150 arch/x86/entry/common.c:158
 [<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 [<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
 [<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 6254:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 alloc_super fs/super.c:187 [inline]
 sget_userns+0xf1/0xc40 fs/super.c:503
 sget+0xd6/0x120 fs/super.c:559
 mount_nodev+0x37/0x100 fs/super.c:1141
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x28c/0x370 fs/super.c:1206
 vfs_kern_mount.part.8+0xd1/0x4b0 fs/namespace.c:1000
 vfs_kern_mount fs/namespace.c:982 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0x3c9/0x28a0 fs/namespace.c:2871
 SYSC_mount fs/namespace.c:3087 [inline]
 SyS_mount+0xea/0x100 fs/namespace.c:3064
 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 27122:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 destroy_super_work+0x40/0x50 fs/super.c:147
 process_one_work+0x831/0x15f0 kernel/workqueue.c:2092
 worker_thread+0xd6/0x1140 kernel/workqueue.c:2226
 kthread+0x26d/0x300 kernel/kthread.c:211
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

The buggy address belongs to the object at ffff8801875b5500
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 248 bytes inside of
 4096-byte region [ffff8801875b5500, ffff8801875b6500)
The buggy address belongs to the page:
page:ffffea00061d6c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801875b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801875b5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801875b5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801875b5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801875b5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-android-49-kasan-gce	2018/11/28 03:58	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	4b6d14f2	.config	log	report