audit: type=1400 audit(1566652339.507:74): avc: denied { associate } for pid=9774 comm="syz-executor.4" name="#3" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 ================================================================== BUG: KASAN: use-after-free in llc_conn_ac_send_sabme_cmd_p_set_x+0x38a/0x440 net/llc/llc_c_ac.c:785 Read of size 1 at addr ffff88805daed710 by task syz-executor.2/9781 CPU: 1 PID: 9781 Comm: syz-executor.2 Not tainted 4.14.139 #35 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x19c lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 llc_conn_ac_send_sabme_cmd_p_set_x+0x38a/0x440 net/llc/llc_c_ac.c:785 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] llc_conn_service net/llc/llc_conn.c:400 [inline] llc_conn_state_process+0x3e6/0x1190 net/llc/llc_conn.c:75 llc_process_tmr_ev net/llc/llc_c_ac.c:1434 [inline] llc_conn_tmr_common_cb+0x281/0x760 net/llc/llc_c_ac.c:1328 llc_conn_ack_tmr_cb+0x1b/0x20 net/llc/llc_c_ac.c:1345 call_timer_fn+0x161/0x670 kernel/time/timer.c:1279 expire_timers kernel/time/timer.c:1318 [inline] __run_timers kernel/time/timer.c:1634 [inline] __run_timers kernel/time/timer.c:1602 [inline] run_timer_softirq+0x5b4/0x1570 kernel/time/timer.c:1647 __do_softirq+0x244/0x9a0 kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x160/0x1b0 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:648 [inline] smp_apic_timer_interrupt+0x146/0x5e0 arch/x86/kernel/apic/apic.c:1064 apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:792 RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RIP: 0010:page_dup_rmap include/linux/rmap.h:189 [inline] RIP: 0010:copy_one_pte mm/memory.c:1045 [inline] RIP: 0010:copy_pte_range mm/memory.c:1106 [inline] RIP: 0010:copy_pmd_range mm/memory.c:1157 [inline] RIP: 0010:copy_pud_range mm/memory.c:1191 [inline] RIP: 0010:copy_p4d_range mm/memory.c:1213 [inline] RIP: 0010:copy_page_range+0xb89/0x1bd0 mm/memory.c:1275 RSP: 0018:ffff88805899fa48 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff10 RAX: 0000000000040000 RBX: dffffc0000000000 RCX: ffffc9000aa63000 RDX: 0000000000034805 RSI: ffffffff817cc8af RDI: ffffea00020cc55c RBP: ffff88805899fbd8 R08: ffffea00020cc540 R09: ffffffff88c86130 R10: ffff8880a85deaa0 R11: ffff8880a85de180 R12: ffffea00020cc560 R13: ffffea00020cc540 R14: ffff888081ed3110 R15: 8000000083315007 dup_mmap kernel/fork.c:714 [inline] dup_mm kernel/fork.c:1208 [inline] copy_mm kernel/fork.c:1263 [inline] copy_process.part.0+0x4764/0x6a00 kernel/fork.c:1780 copy_process kernel/fork.c:1595 [inline] _do_fork+0x19e/0xce0 kernel/fork.c:2085 SYSC_clone kernel/fork.c:2195 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2189 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459879 RSP: 002b:00007fa1737b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459879 RDX: 9999999999999999 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 000000000075bf20 R08: ffffffffffffffff R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa1737b16d4 R13: 00000000004bfd46 R14: 00000000004d1af8 R15: 00000000ffffffff Allocated by task 9721: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] llc_sap_alloc net/llc/llc_core.c:35 [inline] llc_sap_open+0x108/0x340 net/llc/llc_core.c:102 llc_ui_bind+0x975/0xc30 net/llc/af_llc.c:364 SYSC_bind+0x1d3/0x220 net/socket.c:1489 SyS_bind+0x24/0x30 net/socket.c:1475 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 9737: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcc/0x270 mm/slab.c:3815 llc_sap_close+0x140/0x1a0 net/llc/llc_core.c:132 llc_sap_put include/net/llc.h:129 [inline] llc_ui_release+0x1d8/0x280 net/llc/af_llc.c:211 __sock_release+0xce/0x2b0 net/socket.c:602 sock_close+0x1b/0x30 net/socket.c:1139 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 get_signal+0x18a8/0x1cd0 kernel/signal.c:2220 do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff88805daed700 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 16 bytes inside of 2048-byte region [ffff88805daed700, ffff88805daedf00) The buggy address belongs to the page: page:ffffea000176bb00 count:1 mapcount:0 mapping:ffff88805daec600 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffff88805daec600 0000000000000000 0000000100000003 raw: ffffea000176b2a0 ffffea000176ea20 ffff8880aa800c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88805daed600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88805daed680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88805daed700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88805daed780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88805daed800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================