audit: type=1400 audit(1560608485.606:5): avc: denied { associate } for pid=2077 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 ================================================================== BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x22d/0x260 net/core/neighbour.c:2659 Read of size 8 at addr ffff8801c962de40 by task syz-executor.0/2872 CPU: 1 PID: 2872 Comm: syz-executor.0 Not tainted 4.9.181+ #9 ffff8801cde3f2c0 ffffffff81b57e21 0000000000000000 ffffea0007258b40 ffff8801c962de40 0000000000000008 ffffffff82347b5d ffff8801cde3f2f8 ffffffff8150abe8 0000000000000000 ffff8801c962de40 ffff8801c962de40 Call Trace: [<00000000e144a64b>] __dump_stack lib/dump_stack.c:15 [inline] [<00000000e144a64b>] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [<00000000d79f4d68>] print_address_description+0x6f/0x23a mm/kasan/report.c:256 [<00000000ddc76c72>] kasan_report_error mm/kasan/report.c:355 [inline] [<00000000ddc76c72>] kasan_report mm/kasan/report.c:413 [inline] [<00000000ddc76c72>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397 [<00000000c3551b5e>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:434 [<00000000d443a36b>] pneigh_get_next.isra.0+0x22d/0x260 net/core/neighbour.c:2659 [<00000000600da899>] neigh_seq_next+0xb4/0x1e0 net/core/neighbour.c:2741 [<00000000b8db63bd>] seq_read+0xad6/0x1250 fs/seq_file.c:270 [<000000003aa89f52>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:203 [<00000000a0070353>] do_loop_readv_writev.part.0+0xcc/0x2c0 fs/read_write.c:721 [<00000000ca58308c>] do_loop_readv_writev fs/read_write.c:710 [inline] [<00000000ca58308c>] do_readv_writev+0x556/0x7a0 fs/read_write.c:876 [<0000000092071624>] vfs_readv+0x86/0xc0 fs/read_write.c:900 [<00000000ea3924fc>] kernel_readv fs/splice.c:363 [inline] [<00000000ea3924fc>] default_file_splice_read+0x44b/0x7e0 fs/splice.c:435 [<000000007dd30619>] do_splice_to+0x108/0x170 fs/splice.c:899 [<0000000056fb7ddf>] splice_direct_to_actor+0x246/0x820 fs/splice.c:971 [<00000000735a096b>] do_splice_direct+0x1a5/0x260 fs/splice.c:1080 [<00000000d4e5abef>] do_sendfile+0x503/0xc00 fs/read_write.c:1402 [<00000000a12fbc02>] SYSC_sendfile64 fs/read_write.c:1463 [inline] [<00000000a12fbc02>] SyS_sendfile64+0x145/0x160 fs/read_write.c:1449 [<00000000ca3dcb1a>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000bce52e31>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 2873: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:512 [inline] set_track mm/kasan/kasan.c:524 [inline] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 __kmalloc+0x133/0x320 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] pneigh_lookup+0x184/0x3f0 net/core/neighbour.c:595 arp_req_set_public net/ipv4/arp.c:992 [inline] arp_req_set+0x445/0x550 net/ipv4/arp.c:1008 arp_ioctl+0x402/0x690 net/ipv4/arp.c:1203 inet_ioctl+0x123/0x1a0 net/ipv4/af_inet.c:891 sock_do_ioctl+0x6a/0xb0 net/socket.c:906 sock_ioctl+0x24c/0x3d0 net/socket.c:992 vfs_ioctl fs/ioctl.c:43 [inline] file_ioctl fs/ioctl.c:493 [inline] do_vfs_ioctl+0xb87/0x11d0 fs/ioctl.c:677 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 2870: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:512 [inline] set_track mm/kasan/kasan.c:524 [inline] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfc/0x310 mm/slub.c:3878 pneigh_ifdown_and_unlock net/core/neighbour.c:675 [inline] neigh_ifdown+0x21c/0x2e0 net/core/neighbour.c:259 arp_ifdown+0x1d/0x30 net/ipv4/arp.c:1249 inetdev_destroy net/ipv4/devinet.c:306 [inline] inetdev_event+0x60d/0x10c0 net/ipv4/devinet.c:1480 notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x56/0x70 net/core/dev.c:1647 call_netdevice_notifiers net/core/dev.c:1663 [inline] rollback_registered_many+0x6ef/0xb50 net/core/dev.c:6860 rollback_registered+0xf2/0x1b0 net/core/dev.c:6901 unregister_netdevice_queue net/core/dev.c:7888 [inline] unregister_netdevice_queue+0x1ae/0x230 net/core/dev.c:7881 unregister_netdevice include/linux/netdevice.h:2468 [inline] __tun_detach+0x820/0xa00 drivers/net/tun.c:575 tun_detach drivers/net/tun.c:585 [inline] tun_chr_close+0x46/0x60 drivers/net/tun.c:2400 __fput+0x274/0x720 fs/file_table.c:208 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x108/0x180 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x13b/0x160 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:266 [inline] do_syscall_64+0x3ab/0x5c0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801c962de40 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff8801c962de40, ffff8801c962de80) The buggy address belongs to the page: page:ffffea0007258b40 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000200(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c962dd00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801c962dd80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb >ffff8801c962de00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801c962de80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ffff8801c962df00: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 ==================================================================