================================================================== BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2619 [inline] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 Write of size 10 at addr ffff8801d4c0f000 by task syz-executor3/8166 CPU: 0 PID: 8166 Comm: syz-executor3 Not tainted 4.9.124-g09eb2ba #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a00874c8 ffffffff81eb95e9 ffffea00075303c0 ffff8801d4c0f000 0000000000000001 ffff8801d4c0f000 000000000000000a ffff8801a0087500 ffffffff8156c35e ffff8801d4c0f000 000000000000000a 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] check_memory_region_inline mm/kasan/kasan.c:318 [inline] [] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325 [] memcpy+0x37/0x50 mm/kasan/kasan.c:361 [] take_option security/selinux/hooks.c:2619 [inline] [] selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 [] security_sb_copy_data+0x7b/0xb0 security/security.c:283 [] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493 [] btrfs_mount+0x2f3/0x2bc0 fs/btrfs/super.c:1572 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000 [] vfs_kern_mount+0x40/0x60 fs/namespace.c:982 [] mount_subvol fs/btrfs/super.c:1395 [inline] [] btrfs_mount+0x40b/0x2bc0 fs/btrfs/super.c:1566 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000 [] vfs_kern_mount fs/namespace.c:982 [inline] [] do_new_mount fs/namespace.c:2537 [inline] [] do_mount+0x3c9/0x2740 fs/namespace.c:2859 [] SYSC_mount fs/namespace.c:3075 [inline] [] SyS_mount+0xfe/0x110 fs/namespace.c:3052 [] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 6857: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728 dst_alloc+0xb5/0x1a0 net/core/dst.c:210 rt_dst_alloc+0x78/0x430 net/ipv4/route.c:1486 __mkroute_output net/ipv4/route.c:2145 [inline] __ip_route_output_key_hash+0x9ac/0x23c0 net/ipv4/route.c:2355 __ip_route_output_key include/net/route.h:123 [inline] ip_route_output_flow+0x29/0xa0 net/ipv4/route.c:2442 udp_sendmsg+0x13cd/0x1c50 net/ipv4/udp.c:1025 udpv6_sendmsg+0x127d/0x2430 net/ipv6/udp.c:1086 inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:648 [inline] sock_sendmsg+0xcc/0x110 net/socket.c:658 ___sys_sendmsg+0x47a/0x840 net/socket.c:1982 __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072 SYSC_sendmmsg net/socket.c:2103 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2098 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 17: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xbe/0x310 mm/slub.c:2980 dst_destroy+0x200/0x360 net/core/dst.c:270 dst_destroy_rcu+0x15/0x40 net/core/dst.c:295 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037 __do_softirq+0x210/0x940 kernel/softirq.c:288 The buggy address belongs to the object at ffff8801d4c0f000 which belongs to the cache ip_dst_cache of size 216 The buggy address is located 0 bytes inside of 216-byte region [ffff8801d4c0f000, ffff8801d4c0f0d8) The buggy address belongs to the page: page:ffffea00075303c0 count:1 mapcount:0 mapping: (null) index:0xffff8801d4c0fdc0 flags: 0x8000000000000080(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: netlink: 20 bytes leftover after parsing attributes in process `syz-executor7'. ffff8801d4c0ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d4c0ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d4c0f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d4c0f080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ffff8801d4c0f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================