audit: type=1400 audit(1592406889.731:8): avc: denied { execmem } for pid=6342 comm="syz-executor293" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 Read of size 2 at addr ffff8880902be001 by task syz-executor293/6343 CPU: 0 PID: 6343 Comm: syz-executor293 Not tainted 4.14.184-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52 SYSC_getdents64 fs/readdir.c:355 [inline] SyS_getdents64+0x130/0x240 fs/readdir.c:336 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x441369 RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 4799: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3720 [inline] __kmalloc_track_caller+0x155/0x400 mm/slab.c:3735 kmemdup_nul+0x2d/0xa0 mm/util.c:138 security_context_to_sid_core+0x94/0x3d0 security/selinux/ss/services.c:1420 selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377 selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152 security_inode_notifysecctx+0x76/0xb0 security/security.c:1314 kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195 kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302 do_inode_permission fs/namei.c:384 [inline] __inode_permission+0x1f1/0x2f0 fs/namei.c:426 inode_permission+0x23/0x100 fs/namei.c:476 may_lookup fs/namei.c:1717 [inline] link_path_walk+0x851/0x1080 fs/namei.c:2097 path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342 filename_lookup+0x18e/0x380 fs/namei.c:2377 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xd1/0x160 fs/stat.c:185 vfs_lstat include/linux/fs.h:3066 [inline] SYSC_newlstat fs/stat.c:350 [inline] SyS_newlstat+0x83/0xe0 fs/stat.c:344 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 4799: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcb/0x260 mm/slab.c:3815 security_context_to_sid_core+0x284/0x3d0 security/selinux/ss/services.c:1460 selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377 selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152 security_inode_notifysecctx+0x76/0xb0 security/security.c:1314 kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195 kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302 do_inode_permission fs/namei.c:384 [inline] __inode_permission+0x1f1/0x2f0 fs/namei.c:426 inode_permission+0x23/0x100 fs/namei.c:476 may_lookup fs/namei.c:1717 [inline] link_path_walk+0x851/0x1080 fs/namei.c:2097 path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342 filename_lookup+0x18e/0x380 fs/namei.c:2377 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xd1/0x160 fs/stat.c:185 vfs_lstat include/linux/fs.h:3066 [inline] SYSC_newlstat fs/stat.c:350 [inline] SyS_newlstat+0x83/0xe0 fs/stat.c:344 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff8880902be000 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 1 bytes inside of 32-byte region [ffff8880902be000, ffff8880902be020) The buggy address belongs to the page: page:ffffea000240af80 count:1 mapcount:0 mapping:ffff8880902be000 index:0xffff8880902befc1 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff8880902be000 ffff8880902befc1 000000010000003f raw: ffffea00024079e0 ffffea0002aa6720 ffff8880aa8001c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880902bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880902bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880902be000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff8880902be080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8880902be100: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc ==================================================================