================================================================== BUG: KASAN: use-after-free in key_task_permission+0x365/0x460 security/keys/permission.c:54 Read of size 4 at addr ffff888112aba380 by task syz-executor.2/20908 CPU: 1 PID: 20908 Comm: syz-executor.2 Not tainted 5.10.204-syzkaller-01048-gf7977422e132 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:452 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 key_task_permission+0x365/0x460 security/keys/permission.c:54 search_nested_keyrings+0x93d/0x1170 security/keys/keyring.c:793 keyring_search_rcu+0x18e/0x290 security/keys/keyring.c:922 search_cred_keyrings_rcu+0x499/0x5f0 security/keys/process_keys.c:501 search_process_keyrings_rcu+0x21/0x280 security/keys/process_keys.c:544 request_key_and_link+0x33c/0x1450 security/keys/request_key.c:618 __do_sys_request_key security/keys/keyctl.c:222 [inline] __se_sys_request_key+0x26d/0x3b0 security/keys/keyctl.c:167 __x64_sys_request_key+0x9b/0xb0 security/keys/keyctl.c:167 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7fa0f8224ce9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa0f6fa70c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f9 RAX: ffffffffffffffda RBX: 00007fa0f8343f80 RCX: 00007fa0f8224ce9 RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040 RBP: 00007fa0f827147a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fa0f8343f80 R15: 00007ffcbcd64358 Allocated by task 16544: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:430 [inline] ____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518 kasan_kmalloc include/linux/kasan.h:254 [inline] kmem_cache_alloc_trace+0x18a/0x2e0 mm/slub.c:2974 kmalloc include/linux/slab.h:552 [inline] tipc_dest_push net/tipc/name_table.c:1120 [inline] tipc_nametbl_mc_lookup+0x574/0xb10 net/tipc/name_table.c:658 tipc_sk_mcast_rcv+0x590/0x10b0 net/tipc/socket.c:1232 tipc_mcast_xmit+0x144a/0x1b30 net/tipc/bcast.c:424 tipc_send_group_bcast+0x843/0xb50 net/tipc/socket.c:1114 __tipc_sendmsg+0x1364/0x3ab0 tipc_sendmsg+0x55/0x70 net/tipc/socket.c:1391 sock_sendmsg_nosec net/socket.c:652 [inline] __sock_sendmsg net/socket.c:664 [inline] ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2374 ___sys_sendmsg+0x252/0x2e0 net/socket.c:2428 __sys_sendmmsg+0x2c3/0x510 net/socket.c:2514 __do_sys_sendmmsg net/socket.c:2543 [inline] __se_sys_sendmmsg net/socket.c:2540 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2540 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Freed by task 93: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0x121/0x160 mm/kasan/common.c:362 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370 kasan_slab_free include/linux/kasan.h:220 [inline] slab_free_hook mm/slub.c:1595 [inline] slab_free_freelist_hook+0xc0/0x190 mm/slub.c:1621 slab_free mm/slub.c:3203 [inline] kfree+0xc3/0x270 mm/slub.c:4191 security_inode_init_security+0x2c0/0x390 security/security.c:1036 shmem_mknod+0xb8/0x1c0 mm/shmem.c:2902 shmem_create+0x2b/0x40 mm/shmem.c:2957 lookup_open fs/namei.c:3253 [inline] open_last_lookups fs/namei.c:3323 [inline] path_openat+0x1377/0x3000 fs/namei.c:3512 do_filp_open+0x21c/0x460 fs/namei.c:3542 do_sys_openat2+0x13f/0x6f0 fs/open.c:1217 do_sys_open fs/open.c:1233 [inline] __do_sys_openat fs/open.c:1249 [inline] __se_sys_openat fs/open.c:1244 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1244 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The buggy address belongs to the object at ffff888112aba380 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff888112aba380, ffff888112aba3a0) The buggy address belongs to the page: page:ffffea00044aae80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112aba flags: 0x4000000000000200(slab) raw: 4000000000000200 ffffea00044f8940 0000000200000002 ffff888100043980 raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 17206, ts 1673795342646, free_ts 1673787154598 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page+0x166/0x180 mm/page_alloc.c:2462 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5346 allocate_slab mm/slub.c:1808 [inline] new_slab+0x80/0x400 mm/slub.c:1869 new_slab_objects mm/slub.c:2627 [inline] ___slab_alloc+0x302/0x4b0 mm/slub.c:2791 __slab_alloc+0x63/0xa0 mm/slub.c:2831 slab_alloc_node mm/slub.c:2913 [inline] slab_alloc mm/slub.c:2955 [inline] kmem_cache_alloc_trace+0x1bd/0x2e0 mm/slub.c:2972 kmalloc include/linux/slab.h:552 [inline] tipc_dest_push net/tipc/name_table.c:1120 [inline] tipc_nametbl_mc_lookup+0x574/0xb10 net/tipc/name_table.c:658 tipc_sk_mcast_rcv+0x590/0x10b0 net/tipc/socket.c:1232 tipc_mcast_xmit+0x144a/0x1b30 net/tipc/bcast.c:424 tipc_send_group_bcast+0x843/0xb50 net/tipc/socket.c:1114 __tipc_sendmsg+0x1364/0x3ab0 tipc_sendmsg+0x55/0x70 net/tipc/socket.c:1391 sock_sendmsg_nosec net/socket.c:652 [inline] __sock_sendmsg net/socket.c:664 [inline] ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2374 ___sys_sendmsg+0x252/0x2e0 net/socket.c:2428 __sys_sendmmsg+0x2c3/0x510 net/socket.c:2514 page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1349 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336 free_unref_page mm/page_alloc.c:3391 [inline] free_the_page+0x9e/0x370 mm/page_alloc.c:5405 __free_pages+0x67/0xc0 mm/page_alloc.c:5416 __free_slab+0xcf/0x190 mm/slub.c:1894 free_slab mm/slub.c:1909 [inline] discard_slab mm/slub.c:1915 [inline] unfreeze_partials+0x15e/0x190 mm/slub.c:2410 put_cpu_partial+0xbf/0x180 mm/slub.c:2446 __slab_free+0x2c8/0x3a0 mm/slub.c:3095 do_slab_free mm/slub.c:3191 [inline] ___cache_free+0x111/0x130 mm/slub.c:3210 qlink_free+0x50/0x90 mm/kasan/quarantine.c:157 qlist_free_all+0x47/0xb0 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:440 kasan_slab_alloc include/linux/kasan.h:244 [inline] slab_post_alloc_hook+0x61/0x2f0 mm/slab.h:583 slab_alloc_node mm/slub.c:2947 [inline] slab_alloc mm/slub.c:2955 [inline] kmem_cache_alloc+0x168/0x2e0 mm/slub.c:2960 kmem_cache_alloc_node include/linux/slab.h:423 [inline] __alloc_skb+0x80/0x510 net/core/skbuff.c:199 alloc_skb_fclone include/linux/skbuff.h:1176 [inline] tipc_buf_acquire net/tipc/msg.c:74 [inline] tipc_msg_build+0x13e/0x1040 net/tipc/msg.c:390 Memory state around the buggy address: ffff888112aba280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ffff888112aba300: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc >ffff888112aba380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ^ ffff888112aba400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ffff888112aba480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ================================================================== general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#2] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 20908 Comm: syz-executor.2 Tainted: G B D 5.10.204-syzkaller-01048-gf7977422e132 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:selinux_key_permission+0xff/0x190 security/selinux/hooks.c:6685 Code: 8b 23 49 83 e7 fe 49 83 c7 68 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 2b db 79 ff 49 8b 1f 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 75 68 8b 13 48 c7 c7 a0 a4 0e 87 44 89 e6 b9 RSP: 0018:ffffc900064bf720 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff822e37b5 RDX: 0000000000000000 RSI: 0000000000000286 RDI: ffff888112aba368 RBP: ffffc900064bf748 R08: 0000000000000005 R09: ffffffff822e36ea R10: 000000000000000a R11: ffff888196da3b40 R12: 0000000000000082 R13: dffffc0000000000 R14: 0000000000000008 R15: ffff888112aba368 FS: 00007fa0f6fa76c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000114db9000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: security_key_permission+0x72/0xb0 security/security.c:2454 key_task_permission+0x332/0x460 security/keys/permission.c:90 search_nested_keyrings+0x93d/0x1170 security/keys/keyring.c:793 keyring_search_rcu+0x18e/0x290 security/keys/keyring.c:922 search_cred_keyrings_rcu+0x499/0x5f0 security/keys/process_keys.c:501 search_process_keyrings_rcu+0x21/0x280 security/keys/process_keys.c:544 request_key_and_link+0x33c/0x1450 security/keys/request_key.c:618 __do_sys_request_key security/keys/keyctl.c:222 [inline] __se_sys_request_key+0x26d/0x3b0 security/keys/keyctl.c:167 __x64_sys_request_key+0x9b/0xb0 security/keys/keyctl.c:167 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7fa0f8224ce9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa0f6fa70c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f9 RAX: ffffffffffffffda RBX: 00007fa0f8343f80 RCX: 00007fa0f8224ce9 RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040 RBP: 00007fa0f827147a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fa0f8343f80 R15: 00007ffcbcd64358 Modules linked in: ---[ end trace 5447894fcf0d29aa ]--- RIP: 0010:selinux_key_permission+0xff/0x190 security/selinux/hooks.c:6685 ---------------- Code disassembly (best guess): 0: 8b 23 mov (%rbx),%esp 2: 49 83 e7 fe and $0xfffffffffffffffe,%r15 6: 49 83 c7 68 add $0x68,%r15 a: 4c 89 f8 mov %r15,%rax d: 48 c1 e8 03 shr $0x3,%rax 11: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) 16: 74 08 je 0x20 18: 4c 89 ff mov %r15,%rdi 1b: e8 2b db 79 ff call 0xff79db4b 20: 49 8b 1f mov (%r15),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 75 68 jne 0x9b 33: 8b 13 mov (%rbx),%edx 35: 48 c7 c7 a0 a4 0e 87 mov $0xffffffff870ea4a0,%rdi 3c: 44 89 e6 mov %r12d,%esi 3f: b9 .byte 0xb9