================================================================== BUG: KASAN: use-after-free in ____bpf_clone_redirect net/core/filter.c:1767 [inline] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0 net/core/filter.c:1758 Read of size 8 at addr ffff880181923510 by task syz-executor3/14272 CPU: 0 PID: 14272 Comm: syz-executor3 Not tainted 4.14.73+ #15 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 ____bpf_clone_redirect net/core/filter.c:1767 [inline] bpf_clone_redirect+0x29a/0x2b0 net/core/filter.c:1758 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 Allocated by task 6942: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 slab_post_alloc_hook mm/slab.h:442 [inline] slab_alloc_node mm/slub.c:2723 [inline] slab_alloc mm/slub.c:2731 [inline] kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736 kmem_cache_zalloc include/linux/slab.h:651 [inline] avc_alloc_node+0x24/0x3b0 security/selinux/avc.c:549 avc_insert security/selinux/avc.c:668 [inline] avc_compute_av+0x175/0x570 security/selinux/avc.c:974 avc_has_perm_noaudit+0x2a7/0x300 security/selinux/avc.c:1110 selinux_inode_permission+0x304/0x460 security/selinux/hooks.c:3098 security_inode_permission+0xb4/0xf0 security/security.c:700 __inode_permission2+0x86/0x2b0 fs/namei.c:436 inode_permission2+0x2a/0x100 fs/namei.c:485 may_lookup fs/namei.c:1684 [inline] link_path_walk+0x18e/0xf90 fs/namei.c:2070 path_lookupat.isra.10+0x1f0/0x890 fs/namei.c:2315 filename_lookup.part.18+0x177/0x370 fs/namei.c:2350 filename_lookup fs/namei.c:2343 [inline] user_path_at_empty+0x4b/0x80 fs/namei.c:2611 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xe1/0x180 fs/stat.c:185 vfs_stat include/linux/fs.h:3086 [inline] SYSC_newstat fs/stat.c:337 [inline] SyS_newstat+0x81/0xf0 fs/stat.c:333 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 6989: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kmem_cache_free+0x12d/0x350 mm/slub.c:2988 avc_node_free+0x41/0x60 security/selinux/avc.c:485 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2691 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2945 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2912 [inline] rcu_process_callbacks+0x54d/0xee0 kernel/rcu/tree.c:2929 __do_softirq+0x215/0x997 kernel/softirq.c:288 The buggy address belongs to the object at ffff8801819234e0 which belongs to the cache avc_node of size 72 The buggy address is located 48 bytes inside of 72-byte region [ffff8801819234e0, ffff880181923528) The buggy address belongs to the page: page:ffffea00060648c0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000100(slab) raw: 4000000000000100 0000000000000000 0000000000000000 0000000100270027 raw: 0000000000000000 0000000100000001 ffff8801da953600 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880181923400: fc fc fb fb fb fb fb fb fb fb fb fc fc fc fc fb ffff880181923480: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb >ffff880181923500: fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb ^ ffff880181923580: fb fb fc fc fc fc fb fb fb fb fb fb fb fb fb fc ffff880181923600: fc fc fc fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================