syzbot


KASAN: invalid-free in selinux_tun_dev_free_security

Status: auto-obsoleted due to no activity on 2022/10/27 14:39
Reported-by: syzbot+843af03f101f69eb9a24@syzkaller.appspotmail.com
First crash: 234d, last: 224d

Sample crash report:
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3212 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xc3/0x290 mm/slub.c:4200

CPU: 1 PID: 7764 Comm: syz-executor.0 Not tainted 5.10.135-syzkaller-01839-g30abcdabf21e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3c0 mm/kasan/report.c:233
 kasan_report_invalid_free+0x58/0x90 mm/kasan/report.c:358
 ____kasan_slab_free+0x139/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1604 [inline]
 slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
 slab_free mm/slub.c:3212 [inline]
 kfree+0xc3/0x290 mm/slub.c:4200
 selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5530
 security_tun_dev_free_security+0x4d/0x90 security/security.c:2263
 tun_free_netdev+0xbd/0x1c0 drivers/net/tun.c:2277
 netdev_run_todo+0xbcd/0xe10 net/core/dev.c:10304
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:112
 __tun_chr_ioctl+0x8ca/0x2130 drivers/net/tun.c:3362
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:3371
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f17f85be279
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f17f7734168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f17f86d0f80 RCX: 00007f17f85be279
RDX: 0000000020000000 RSI: 00000000400454ca RDI: 0000000000000003
RBP: 00007f17f8618189 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff2056a02f R14: 00007f17f7734300 R15: 0000000000022000

Allocated by task 7764:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
 kasan_kmalloc include/linux/kasan.h:269 [inline]
 kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 selinux_tun_dev_alloc_security+0x51/0x140 security/selinux/hooks.c:5519
 security_tun_dev_alloc_security+0x50/0xb0 security/security.c:2257
 tun_set_iff+0x944/0x1100 drivers/net/tun.c:2795
 __tun_chr_ioctl+0x8ab/0x2130 drivers/net/tun.c:3095
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:3371
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

Freed by task 7764:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
 ____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1604 [inline]
 slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
 slab_free mm/slub.c:3212 [inline]
 kfree+0xc3/0x290 mm/slub.c:4200
 selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5530
 security_tun_dev_free_security+0x4d/0x90 security/security.c:2263
 tun_set_iff+0xc98/0x1100 drivers/net/tun.c:2850
 __tun_chr_ioctl+0x8ab/0x2130 drivers/net/tun.c:3095
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:3371
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

The buggy address belongs to the object at ffff8881115e5eb0
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff8881115e5eb0, ffff8881115e5eb8)
The buggy address belongs to the page:
page:ffffea0004457940 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881115e58c0 pfn:0x1115e5
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea0004b8bcc0 0000000800000008 ffff888100043c80
raw: ffff8881115e58c0 0000000080660045 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6871, ts 169043172006, free_ts 169035756821
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2385 [inline]
 prep_new_page mm/page_alloc.c:2391 [inline]
 get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4071
 __alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5121
 alloc_slab_page mm/slub.c:1815 [inline]
 allocate_slab+0x78/0x540 mm/slub.c:1817
 new_slab mm/slub.c:1878 [inline]
 new_slab_objects mm/slub.c:2636 [inline]
 ___slab_alloc+0x131/0x2e0 mm/slub.c:2800
 __slab_alloc+0x63/0xa0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 __kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
 kstrdup mm/util.c:63 [inline]
 kstrdup_const+0x55/0x90 mm/util.c:86
 __kernfs_new_node+0x99/0x6e0 fs/kernfs/dir.c:631
 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:697
 kernfs_create_link+0xb8/0x210 fs/kernfs/symlink.c:39
 sysfs_do_create_link_sd+0x89/0x110 fs/sysfs/symlink.c:44
 sysfs_do_create_link fs/sysfs/symlink.c:80 [inline]
 sysfs_create_link+0x68/0x80 fs/sysfs/symlink.c:92
 device_add_class_symlinks+0x222/0x2a0 drivers/base/core.c:2988
 device_add+0x4c3/0xbd0 drivers/base/core.c:3196
 netdev_register_kobject+0x179/0x320 net/core/net-sysfs.c:1997
 register_netdevice+0x1246/0x1790 net/core/dev.c:10018
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1331 [inline]
 __free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
 free_the_page mm/page_alloc.c:5182 [inline]
 __free_pages+0x383/0x570 mm/page_alloc.c:5189
 __free_slab+0xd3/0x190 mm/slub.c:1903
 free_slab mm/slub.c:1918 [inline]
 discard_slab mm/slub.c:1924 [inline]
 unfreeze_partials+0x17d/0x1b0 mm/slub.c:2419
 put_cpu_partial+0xc8/0x190 mm/slub.c:2455
 __slab_free+0x2d8/0x3a0 mm/slub.c:3104
 do_slab_free mm/slub.c:3200 [inline]
 ___cache_free+0x11f/0x140 mm/slub.c:3219
 qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
 qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
 kasan_slab_alloc include/linux/kasan.h:259 [inline]
 slab_post_alloc_hook include/../mm/slab.h:583 [inline]
 slab_alloc_node mm/slub.c:2956 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc_trace+0x172/0x330 mm/slub.c:2981
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 kset_create lib/kobject.c:969 [inline]
 kset_create_and_add+0x5c/0x2b0 lib/kobject.c:1012
 register_queue_kobjects net/core/net-sysfs.c:1742 [inline]
 netdev_register_kobject+0x1a8/0x320 net/core/net-sysfs.c:2001
 register_netdevice+0x1246/0x1790 net/core/dev.c:10018
 __ip_tunnel_create+0x2af/0x370 net/ipv4/ip_tunnel.c:267

Memory state around the buggy address:
 ffff8881115e5d80: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
 ffff8881115e5e00: fc fc fa fc fc fc fc fa fc fc fc fc fb fc fc fc
>ffff8881115e5e80: fc fb fc fc fc fc fa fc fc fc fc fa fc fc fc fc
                                     ^
 ffff8881115e5f00: fa fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa
 ffff8881115e5f80: fc fc fc fc fa fc fc fc fc fb fc fc fc fc fc fc
==================================================================

Crashes (14):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-android-5-10-perf 2022/08/14 04:31 android12-5.10-lts 30abcdabf21e 8dfcaa3d .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/13 15:08 android12-5.10-lts 30abcdabf21e 8dfcaa3d .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/11 14:25 android12-5.10-lts 30abcdabf21e 787ed7e0 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/10 19:56 android12-5.10-lts 30abcdabf21e aaa9eaa0 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/09 21:40 android12-5.10-lts f6ce9a9115d5 c2a623d6 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/09 19:54 android12-5.10-lts f6ce9a9115d5 c2a623d6 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/09 15:03 android12-5.10-lts f6ce9a9115d5 da700653 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10 2022/08/09 03:56 android12-5.10-lts f6ce9a9115d5 da700653 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/07 18:46 android12-5.10-lts f6ce9a9115d5 88e3a122 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/07 09:35 android12-5.10-lts f6ce9a9115d5 88e3a122 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/07 00:14 android12-5.10-lts f6ce9a9115d5 88e3a122 .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/04 15:36 android12-5.10-lts f6ce9a9115d5 1c9013ac .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/04 12:20 android12-5.10-lts f6ce9a9115d5 1c9013ac .config console log report info KASAN: invalid-free in selinux_tun_dev_free_security
ci2-android-5-10-perf 2022/08/11 02:58 android12-5.10-lts 30abcdabf21e a6201f11 .config console log report info KFENCE: invalid free in selinux_tun_dev_free_security
* Struck through repros no longer work on HEAD.