audit: type=1400 audit(1574655995.059:8): avc: denied { prog_load } for pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 ================================================================== audit: type=1400 audit(1574655995.099:9): avc: denied { prog_run } for pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 BUG: KASAN: use-after-free in ____bpf_skb_change_head net/core/filter.c:2423 [inline] BUG: KASAN: use-after-free in bpf_skb_change_head+0x4ea/0x600 net/core/filter.c:2419 Read of size 4 at addr ffff8881d3a09e78 by task syz-executor596/1784 CPU: 0 PID: 1784 Comm: syz-executor596 Not tainted 4.14.155-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xe5/0x154 lib/dump_stack.c:58 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 ____bpf_skb_change_head net/core/filter.c:2423 [inline] bpf_skb_change_head+0x4ea/0x600 net/core/filter.c:2419 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1095 Allocated by task 1591: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501 slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0xee/0x360 mm/slub.c:2805 anon_vma_chain_alloc mm/rmap.c:129 [inline] anon_vma_fork+0x1d3/0x470 mm/rmap.c:344 dup_mmap kernel/fork.c:674 [inline] dup_mm kernel/fork.c:1213 [inline] copy_mm kernel/fork.c:1268 [inline] copy_process.part.0+0x2854/0x66c0 kernel/fork.c:1895 copy_process kernel/fork.c:1679 [inline] _do_fork+0x197/0xce0 kernel/fork.c:2220 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 1746: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 anon_vma_chain_free mm/rmap.c:134 [inline] unlink_anon_vmas+0x45f/0x7e0 mm/rmap.c:419 free_pgtables+0xab/0x1c0 mm/memory.c:643 exit_mmap+0x222/0x440 mm/mmap.c:3078 __mmput kernel/fork.c:940 [inline] mmput+0xeb/0x370 kernel/fork.c:961 exec_mmap fs/exec.c:1039 [inline] flush_old_exec+0x80d/0x1a50 fs/exec.c:1271 load_elf_binary+0x84f/0x46e0 fs/binfmt_elf.c:855 search_binary_handler fs/exec.c:1638 [inline] search_binary_handler+0x13f/0x6d0 fs/exec.c:1616 load_script+0x566/0x780 fs/binfmt_script.c:148 search_binary_handler fs/exec.c:1638 [inline] search_binary_handler+0x13f/0x6d0 fs/exec.c:1616 exec_binprm fs/exec.c:1680 [inline] do_execveat_common.isra.0+0xf73/0x1bb0 fs/exec.c:1802 do_execve fs/exec.c:1847 [inline] SYSC_execve fs/exec.c:1928 [inline] SyS_execve+0x34/0x40 fs/exec.c:1923 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff The buggy address belongs to the object at ffff8881d3a09e40 which belongs to the cache anon_vma_chain of size 64 The buggy address is located 56 bytes inside of 64-byte region [ffff8881d3a09e40, ffff8881d3a09e80) The buggy address belongs to the page: page:ffffea00074e8240 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000200(slab) raw: 4000000000000200 0000000000000000 0000000000000000 00000001002a002a raw: 0000000000000000 0000000100000001 ffff8881da823000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d3a09d00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ffff8881d3a09d80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb >ffff8881d3a09e00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8881d3a09e80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ffff8881d3a09f00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ==================================================================