audit: type=1400 audit(2000001337.820:119103): avc: denied { search } for pid=190 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(2000001337.850:119104): avc: denied { search } for pid=190 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 usercopy: kernel memory exposure attempt detected from 'proc_inode_cache' (1097 bytes) ================================================================== BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 lib/usercopy.c:27 Read of size 1097 at addr ffff88817abffff2 by task syz-executor.4/887 CPU: 0 PID: 887 Comm: syz-executor.4 Not tainted 4.14.141+ #40 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 _copy_to_user+0x9d/0xd0 lib/usercopy.c:27 copy_to_user include/linux/uaccess.h:155 [inline] bpf_test_finish.isra.0+0xa7/0x160 net/bpf/test_run.c:59 bpf_prog_test_run_skb+0x528/0x8c0 net/bpf/test_run.c:144 bpf_prog_test_run kernel/bpf/syscall.c:1346 [inline] SYSC_bpf kernel/bpf/syscall.c:1618 [inline] SyS_bpf+0xa3b/0x3830 kernel/bpf/syscall.c:1563 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459879 RSP: 002b:00007f0f8f0bac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459879 RDX: 0000000000000028 RSI: 00000000200001c0 RDI: 000000000000000a RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0f8f0bb6d4 R13: 00000000004bfbf2 R14: 00000000004d18b8 R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea0005eaffc0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88817abffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88817abfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88817abfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88817ac00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88817ac00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== audit: type=1400 audit(2000001337.870:119105): avc: denied { search } for pid=31320 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(2000001337.880:119106): avc: denied { search } for pid=31320 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:71! audit: type=1400 audit(2000001337.900:119107): avc: denied { search } for pid=31320 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Modules linked in: CPU: 1 PID: 912 Comm: syz-executor.4 Tainted: G B 4.14.141+ #40 task: 00000000024c2134 task.stack: 00000000ea0de3f2 RIP: 0010:report_usercopy mm/usercopy.c:71 [inline] RIP: 0010:__check_object_size mm/usercopy.c:263 [inline] RIP: 0010:__check_object_size.cold+0x58/0x84 mm/usercopy.c:221 RSP: 0018:ffff88819de4fbc0 EFLAGS: 00010286 RAX: 0000000000000056 RBX: ffff8881837ffff2 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900061c7000 RDI: ffffed1033bc9f6a RBP: 0000000000000449 R08: 0000000000000056 R09: ffffed103b744ce9 R10: ffffed103b744ce8 R11: ffff8881dba26747 R12: ffffffffa54bd6e0 R13: 0000000000000001 R14: ffffffffa54bd6a0 R15: ffffea00060dff00 audit: type=1400 audit(2000001337.930:119108): avc: denied { search } for pid=31320 comm="udevd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir permissive=1 FS: 00007f0f8f079700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c42797f000 CR3: 00000001a360a003 CR4: 00000000001606a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: check_object_size include/linux/thread_info.h:108 [inline] check_copy_size include/linux/thread_info.h:139 [inline] copy_to_user include/linux/uaccess.h:154 [inline] bpf_test_finish.isra.0+0x99/0x160 net/bpf/test_run.c:59 bpf_prog_test_run_skb+0x528/0x8c0 net/bpf/test_run.c:144 bpf_prog_test_run kernel/bpf/syscall.c:1346 [inline] SYSC_bpf kernel/bpf/syscall.c:1618 [inline] SyS_bpf+0xa3b/0x3830 kernel/bpf/syscall.c:1563 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459879 RSP: 002b:00007f0f8f078c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459879 RDX: 0000000000000028 RSI: 00000000200001c0 RDI: 000000000000000a RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0f8f0796d4 R13: 00000000004bfbf2 R14: 00000000004d18b8 R15: 00000000ffffffff Code: c7 c2 e0 d6 4b a5 4c 0f 45 e2 e8 68 0d db ff 48 8b 04 24 49 89 e8 4c 89 f2 4c 89 e6 48 c7 c7 20 d7 4b a5 48 89 c1 e8 57 32 cc ff <0f> 0b 48 c7 c0 60 d5 4b a5 eb a4 48 c7 c0 20 d5 4b a5 eb 9b 48 RIP: report_usercopy mm/usercopy.c:71 [inline] RSP: ffff88819de4fbc0 RIP: __check_object_size mm/usercopy.c:263 [inline] RSP: ffff88819de4fbc0 RIP: __check_object_size.cold+0x58/0x84 mm/usercopy.c:221 RSP: ffff88819de4fbc0